- technique_id: T1622 is_subtechnique: false technique: Debugger Evasion tactic: - defense-evasion - discovery platform: - Windows - Linux - macOS data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1622 is_subtechnique: false technique: Debugger Evasion tactic: - defense-evasion - discovery platform: - Windows - Linux - macOS data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1622 is_subtechnique: false technique: Debugger Evasion tactic: - defense-evasion - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1622 is_subtechnique: false technique: Debugger Evasion tactic: - defense-evasion - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1622 is_subtechnique: false technique: Debugger Evasion tactic: - defense-evasion - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1622 is_subtechnique: false technique: Debugger Evasion tactic: - defense-evasion - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1622 is_subtechnique: false technique: Debugger Evasion tactic: - defense-evasion - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1622 is_subtechnique: false technique: Debugger Evasion tactic: - defense-evasion - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1622 is_subtechnique: false technique: Debugger Evasion tactic: - defense-evasion - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1622 is_subtechnique: false technique: Debugger Evasion tactic: - defense-evasion - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1622 is_subtechnique: false technique: Debugger Evasion tactic: - defense-evasion - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1622 is_subtechnique: false technique: Debugger Evasion tactic: - defense-evasion - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1622 is_subtechnique: false technique: Debugger Evasion tactic: - defense-evasion - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1622 is_subtechnique: false technique: Debugger Evasion tactic: - defense-evasion - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1622 is_subtechnique: false technique: Debugger Evasion tactic: - defense-evasion - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1622 is_subtechnique: false technique: Debugger Evasion tactic: - defense-evasion - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1622 is_subtechnique: false technique: Debugger Evasion tactic: - defense-evasion - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1622 is_subtechnique: false technique: Debugger Evasion tactic: - defense-evasion - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1622 is_subtechnique: false technique: Debugger Evasion tactic: - defense-evasion - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1622 is_subtechnique: false technique: Debugger Evasion tactic: - defense-evasion - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1622 is_subtechnique: false technique: Debugger Evasion tactic: - defense-evasion - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4703' event_name: A token right was adjusted. event_platform: windows audit_category: Policy Change audit_sub_category: Authorization Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4673' event_name: A privileged service was called. event_platform: windows audit_category: Privilege Use audit_sub_category: Sensitive Privilege Use channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4674' event_name: An operation was attempted on a privileged object. event_platform: windows audit_category: Privilege Use audit_sub_category: Sensitive Privilege Use channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4610' event_name: An authentication package has been loaded by the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4611' event_name: A trusted logon process has been registered with the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4614' event_name: A notification package has been loaded by the Security Account Manager. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4622' event_name: A security package has been loaded by the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: user account data_component: user account authentication relationship_id: REL-2022-0122 name: User attempted to authenticate from Device source: user relationship: attempted to authenticate from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: user account data_component: user account authentication relationship_id: REL-2022-0163 name: User authenticated from Device source: user relationship: authenticated from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1621 is_subtechnique: false technique: Multi-Factor Authentication Request Generation tactic: - credential-access platform: - Windows - Office 365 - Linux - macOS - IaaS - SaaS - Azure AD - Google Workspace data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1505.005 is_subtechnique: true technique: Terminal Services DLL tactic: - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1098.005 is_subtechnique: true technique: Device Registration tactic: - persistence platform: - Azure AD - Windows - SaaS data_source: active directory data_component: active directory object creation relationship_id: REL-2022-0136 name: User created AD Object source: user relationship: created target: ad object event_id: '5137' event_name: A directory service object was created. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.005 is_subtechnique: true technique: Device Registration tactic: - persistence platform: - Azure AD - Windows - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0003 name: User modified User source: user relationship: modified target: user event_id: '4738' event_name: A user account was changed. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.005 is_subtechnique: true technique: Device Registration tactic: - persistence platform: - Azure AD - Windows - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0003 name: User modified User source: user relationship: modified target: user event_id: '4781' event_name: The name of an account was changed. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.005 is_subtechnique: true technique: Device Registration tactic: - persistence platform: - Azure AD - Windows - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0003 name: User modified User source: user relationship: modified target: user event_id: '4742' event_name: A computer account was changed. event_platform: windows audit_category: Account Management audit_sub_category: Computer Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.005 is_subtechnique: true technique: Device Registration tactic: - persistence platform: - Azure AD - Windows - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0003 name: User modified User source: user relationship: modified target: user event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: UserAccountModified - technique_id: T1098.005 is_subtechnique: true technique: Device Registration tactic: - persistence platform: - Azure AD - Windows - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0009 name: User locked User source: user relationship: locked target: user event_id: '4740' event_name: A user account was locked out. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.005 is_subtechnique: true technique: Device Registration tactic: - persistence platform: - Azure AD - Windows - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0019 name: User unlocked User source: user relationship: unlocked target: user event_id: '4767' event_name: A user account was unlocked. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.005 is_subtechnique: true technique: Device Registration tactic: - persistence platform: - Azure AD - Windows - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0024 name: User enabled User source: user relationship: enabled target: user event_id: '4722' event_name: A user account was enabled. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.005 is_subtechnique: true technique: Device Registration tactic: - persistence platform: - Azure AD - Windows - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0024 name: User enabled User source: user relationship: enabled target: user event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: UserAccountModified - technique_id: T1098.005 is_subtechnique: true technique: Device Registration tactic: - persistence platform: - Azure AD - Windows - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0042 name: User granted acess to User source: user relationship: granted access to target: user event_id: '4717' event_name: System security access was granted to an account. event_platform: windows audit_category: Policy Change audit_sub_category: Authentication Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.005 is_subtechnique: true technique: Device Registration tactic: - persistence platform: - Azure AD - Windows - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0083 name: User removed acess from User source: user relationship: removed access from target: user event_id: '4718' event_name: System security access was removed from an account. event_platform: windows audit_category: Policy Change audit_sub_category: Authentication Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.005 is_subtechnique: true technique: Device Registration tactic: - persistence platform: - Azure AD - Windows - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0109 name: User disabled User source: user relationship: disabled target: user event_id: '4725' event_name: A user account was disabled. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.005 is_subtechnique: true technique: Device Registration tactic: - persistence platform: - Azure AD - Windows - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0109 name: User disabled User source: user relationship: disabled target: user event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: UserAccountModified - technique_id: T1098.005 is_subtechnique: true technique: Device Registration tactic: - persistence platform: - Azure AD - Windows - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0133 name: User attempted to modify User source: user relationship: attempted to modify target: user event_id: '4723' event_name: An attempt was made to change an account's password. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.005 is_subtechnique: true technique: Device Registration tactic: - persistence platform: - Azure AD - Windows - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0133 name: User attempted to modify User source: user relationship: attempted to modify target: user event_id: '4724' event_name: An attempt was made to reset an account's password. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.013 is_subtechnique: true technique: KernelCallbackTable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.013 is_subtechnique: true technique: KernelCallbackTable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1556.005 is_subtechnique: true technique: Reversible Encryption tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1556.005 is_subtechnique: true technique: Reversible Encryption tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1556.005 is_subtechnique: true technique: Reversible Encryption tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1556.005 is_subtechnique: true technique: Reversible Encryption tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1556.005 is_subtechnique: true technique: Reversible Encryption tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1556.005 is_subtechnique: true technique: Reversible Encryption tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556.005 is_subtechnique: true technique: Reversible Encryption tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1556.005 is_subtechnique: true technique: Reversible Encryption tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1556.005 is_subtechnique: true technique: Reversible Encryption tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1556.005 is_subtechnique: true technique: Reversible Encryption tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556.005 is_subtechnique: true technique: Reversible Encryption tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1556.005 is_subtechnique: true technique: Reversible Encryption tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1556.005 is_subtechnique: true technique: Reversible Encryption tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1556.005 is_subtechnique: true technique: Reversible Encryption tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5136' event_name: A directory service object was modified. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556.005 is_subtechnique: true technique: Reversible Encryption tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5139' event_name: A directory service object was moved. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556.005 is_subtechnique: true technique: Reversible Encryption tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '4719' event_name: System audit policy was changed. event_platform: windows audit_category: Policy Change audit_sub_category: Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1055.015 is_subtechnique: true technique: ListPlanting tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process modification relationship_id: REL-2022-0143 name: Process modified Process source: process relationship: modified target: process event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.015 is_subtechnique: true technique: ListPlanting tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process modification relationship_id: REL-2022-0143 name: Process modified Process source: process relationship: modified target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1055.015 is_subtechnique: true technique: ListPlanting tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.015 is_subtechnique: true technique: ListPlanting tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1564.010 is_subtechnique: true technique: Process Argument Spoofing tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.010 is_subtechnique: true technique: Process Argument Spoofing tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.010 is_subtechnique: true technique: Process Argument Spoofing tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1564.010 is_subtechnique: true technique: Process Argument Spoofing tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.010 is_subtechnique: true technique: Process Argument Spoofing tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1564.010 is_subtechnique: true technique: Process Argument Spoofing tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.010 is_subtechnique: true technique: Process Argument Spoofing tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.010 is_subtechnique: true technique: Process Argument Spoofing tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1562.010 is_subtechnique: true technique: Downgrade Attack tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.010 is_subtechnique: true technique: Downgrade Attack tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.010 is_subtechnique: true technique: Downgrade Attack tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1562.010 is_subtechnique: true technique: Downgrade Attack tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1562.010 is_subtechnique: true technique: Downgrade Attack tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.010 is_subtechnique: true technique: Downgrade Attack tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.010 is_subtechnique: true technique: Downgrade Attack tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1562.010 is_subtechnique: true technique: Downgrade Attack tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1562.010 is_subtechnique: true technique: Downgrade Attack tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1562.010 is_subtechnique: true technique: Downgrade Attack tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process metadata relationship_id: REL-2022-0029 name: Process terminated source: process relationship: terminated target: null event_id: '5' event_name: Process terminated. event_platform: windows audit_category: ProcessTerminate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.010 is_subtechnique: true technique: Downgrade Attack tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process metadata relationship_id: REL-2022-0029 name: Process terminated source: process relationship: terminated target: null event_id: '5' event_name: Process terminated. event_platform: linux audit_category: ProcessTerminate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1562.010 is_subtechnique: true technique: Downgrade Attack tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process metadata relationship_id: REL-2022-0073 name: Process searched LDAP source: process relationship: searched target: ldap event_id: '30' event_name: EventID(30) event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-LDAP-Client/Debug filter_in: .nan - technique_id: T1562.010 is_subtechnique: true technique: Downgrade Attack tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process metadata relationship_id: REL-2022-0073 name: Process searched LDAP source: process relationship: searched target: ldap event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LdapSearch - technique_id: T1562.010 is_subtechnique: true technique: Downgrade Attack tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.010 is_subtechnique: true technique: Downgrade Attack tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.010 is_subtechnique: true technique: Downgrade Attack tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1562.010 is_subtechnique: true technique: Downgrade Attack tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1562.010 is_subtechnique: true technique: Downgrade Attack tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.010 is_subtechnique: true technique: Downgrade Attack tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1562.010 is_subtechnique: true technique: Downgrade Attack tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.010 is_subtechnique: true technique: Downgrade Attack tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.010 is_subtechnique: true technique: Downgrade Attack tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1562.010 is_subtechnique: true technique: Downgrade Attack tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1620 is_subtechnique: false technique: Reflective Code Loading tactic: - defense-evasion platform: - macOS - Linux - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1620 is_subtechnique: false technique: Reflective Code Loading tactic: - defense-evasion platform: - macOS - Linux - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1620 is_subtechnique: false technique: Reflective Code Loading tactic: - defense-evasion platform: - macOS - Linux - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1620 is_subtechnique: false technique: Reflective Code Loading tactic: - defense-evasion platform: - macOS - Linux - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1620 is_subtechnique: false technique: Reflective Code Loading tactic: - defense-evasion platform: - macOS - Linux - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1620 is_subtechnique: false technique: Reflective Code Loading tactic: - defense-evasion platform: - macOS - Linux - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1620 is_subtechnique: false technique: Reflective Code Loading tactic: - defense-evasion platform: - macOS - Linux - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1620 is_subtechnique: false technique: Reflective Code Loading tactic: - defense-evasion platform: - macOS - Linux - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1620 is_subtechnique: false technique: Reflective Code Loading tactic: - defense-evasion platform: - macOS - Linux - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1620 is_subtechnique: false technique: Reflective Code Loading tactic: - defense-evasion platform: - macOS - Linux - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1620 is_subtechnique: false technique: Reflective Code Loading tactic: - defense-evasion platform: - macOS - Linux - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1218.014 is_subtechnique: true technique: MMC tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.014 is_subtechnique: true technique: MMC tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.014 is_subtechnique: true technique: MMC tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.014 is_subtechnique: true technique: MMC tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.014 is_subtechnique: true technique: MMC tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1218.014 is_subtechnique: true technique: MMC tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.014 is_subtechnique: true technique: MMC tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.014 is_subtechnique: true technique: MMC tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.014 is_subtechnique: true technique: MMC tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1218.014 is_subtechnique: true technique: MMC tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.014 is_subtechnique: true technique: MMC tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.014 is_subtechnique: true technique: MMC tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1218.014 is_subtechnique: true technique: MMC tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.014 is_subtechnique: true technique: MMC tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.014 is_subtechnique: true technique: MMC tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.014 is_subtechnique: true technique: MMC tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.014 is_subtechnique: true technique: MMC tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.014 is_subtechnique: true technique: MMC tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.014 is_subtechnique: true technique: MMC tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.014 is_subtechnique: true technique: MMC tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.014 is_subtechnique: true technique: MMC tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.013 is_subtechnique: true technique: Mavinject tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.013 is_subtechnique: true technique: Mavinject tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.013 is_subtechnique: true technique: Mavinject tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.013 is_subtechnique: true technique: Mavinject tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.013 is_subtechnique: true technique: Mavinject tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1218.013 is_subtechnique: true technique: Mavinject tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.013 is_subtechnique: true technique: Mavinject tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.013 is_subtechnique: true technique: Mavinject tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.013 is_subtechnique: true technique: Mavinject tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.013 is_subtechnique: true technique: Mavinject tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.013 is_subtechnique: true technique: Mavinject tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.013 is_subtechnique: true technique: Mavinject tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.013 is_subtechnique: true technique: Mavinject tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.013 is_subtechnique: true technique: Mavinject tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.013 is_subtechnique: true technique: Mavinject tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.013 is_subtechnique: true technique: Mavinject tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0048 name: Process accessed Registry source: process relationship: accessed target: registry event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0077 name: User accessed Registry source: user relationship: accessed target: registry event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0070 name: Process requested access to Registry source: process relationship: requested access to target: registry event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1614.001 is_subtechnique: true technique: System Language Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0013 name: User requested access to Registry source: user relationship: requested access to target: registry event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1615 is_subtechnique: .nan technique: Group Policy Discovery tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1615 is_subtechnique: .nan technique: Group Policy Discovery tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1615 is_subtechnique: .nan technique: Group Policy Discovery tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1615 is_subtechnique: .nan technique: Group Policy Discovery tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1615 is_subtechnique: .nan technique: Group Policy Discovery tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1615 is_subtechnique: .nan technique: Group Policy Discovery tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1615 is_subtechnique: .nan technique: Group Policy Discovery tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1615 is_subtechnique: .nan technique: Group Policy Discovery tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1615 is_subtechnique: .nan technique: Group Policy Discovery tactic: - discovery platform: - Windows data_source: active directory data_component: active directory object access relationship_id: REL-2022-0015 name: User requested access to AD Object source: user relationship: requested access to target: ad object event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Access channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1615 is_subtechnique: .nan technique: Group Policy Discovery tactic: - discovery platform: - Windows data_source: active directory data_component: active directory object access relationship_id: REL-2022-0085 name: User accessed AD Object source: user relationship: accessed target: ad object event_id: '4662' event_name: An operation was performed on an object. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Access channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1615 is_subtechnique: .nan technique: Group Policy Discovery tactic: - discovery platform: - Windows data_source: active directory data_component: active directory object access relationship_id: REL-2022-0085 name: User accessed AD Object source: user relationship: accessed target: ad object event_id: '4932' event_name: Synchronization of a replica of an Active Directory naming context has begun. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Replication channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1615 is_subtechnique: .nan technique: Group Policy Discovery tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1615 is_subtechnique: .nan technique: Group Policy Discovery tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1615 is_subtechnique: .nan technique: Group Policy Discovery tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1615 is_subtechnique: .nan technique: Group Policy Discovery tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1615 is_subtechnique: .nan technique: Group Policy Discovery tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1615 is_subtechnique: .nan technique: Group Policy Discovery tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1615 is_subtechnique: .nan technique: Group Policy Discovery tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1615 is_subtechnique: .nan technique: Group Policy Discovery tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1615 is_subtechnique: .nan technique: Group Policy Discovery tactic: - discovery platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1615 is_subtechnique: .nan technique: Group Policy Discovery tactic: - discovery platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1615 is_subtechnique: .nan technique: Group Policy Discovery tactic: - discovery platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1615 is_subtechnique: .nan technique: Group Policy Discovery tactic: - discovery platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1615 is_subtechnique: .nan technique: Group Policy Discovery tactic: - discovery platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1036.007 is_subtechnique: true technique: Double File Extension tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1036.007 is_subtechnique: true technique: Double File Extension tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1036.007 is_subtechnique: true technique: Double File Extension tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1036.007 is_subtechnique: true technique: Double File Extension tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1036.007 is_subtechnique: true technique: Double File Extension tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: New registry value created - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.009 is_subtechnique: true technique: Safe Mode Boot tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1564.008 is_subtechnique: true technique: Email Hiding Rules tactic: - defense-evasion platform: - Windows - Office 365 - Linux - macOS - Google Workspace data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.008 is_subtechnique: true technique: Email Hiding Rules tactic: - defense-evasion platform: - Windows - Office 365 - Linux - macOS - Google Workspace data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1564.008 is_subtechnique: true technique: Email Hiding Rules tactic: - defense-evasion platform: - Windows - Office 365 - Linux - macOS - Google Workspace data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.008 is_subtechnique: true technique: Email Hiding Rules tactic: - defense-evasion platform: - Windows - Office 365 - Linux - macOS - Google Workspace data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.008 is_subtechnique: true technique: Email Hiding Rules tactic: - defense-evasion platform: - Windows - Office 365 - Linux - macOS - Google Workspace data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.008 is_subtechnique: true technique: Email Hiding Rules tactic: - defense-evasion platform: - Windows - Office 365 - Linux - macOS - Google Workspace data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1564.008 is_subtechnique: true technique: Email Hiding Rules tactic: - defense-evasion platform: - Windows - Office 365 - Linux - macOS - Google Workspace data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1564.008 is_subtechnique: true technique: Email Hiding Rules tactic: - defense-evasion platform: - Windows - Office 365 - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.008 is_subtechnique: true technique: Email Hiding Rules tactic: - defense-evasion platform: - Windows - Office 365 - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.008 is_subtechnique: true technique: Email Hiding Rules tactic: - defense-evasion platform: - Windows - Office 365 - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1564.008 is_subtechnique: true technique: Email Hiding Rules tactic: - defense-evasion platform: - Windows - Office 365 - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1564.008 is_subtechnique: true technique: Email Hiding Rules tactic: - defense-evasion platform: - Windows - Office 365 - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.008 is_subtechnique: true technique: Email Hiding Rules tactic: - defense-evasion platform: - Windows - Office 365 - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.008 is_subtechnique: true technique: Email Hiding Rules tactic: - defense-evasion platform: - Windows - Office 365 - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1564.008 is_subtechnique: true technique: Email Hiding Rules tactic: - defense-evasion platform: - Windows - Office 365 - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1564.008 is_subtechnique: true technique: Email Hiding Rules tactic: - defense-evasion platform: - Windows - Office 365 - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1505.004 is_subtechnique: true technique: IIS Components tactic: - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1505.004 is_subtechnique: true technique: IIS Components tactic: - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505.004 is_subtechnique: true technique: IIS Components tactic: - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505.004 is_subtechnique: true technique: IIS Components tactic: - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1505.004 is_subtechnique: true technique: IIS Components tactic: - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505.004 is_subtechnique: true technique: IIS Components tactic: - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505.004 is_subtechnique: true technique: IIS Components tactic: - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1505.004 is_subtechnique: true technique: IIS Components tactic: - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505.004 is_subtechnique: true technique: IIS Components tactic: - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505.004 is_subtechnique: true technique: IIS Components tactic: - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505.004 is_subtechnique: true technique: IIS Components tactic: - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1505.004 is_subtechnique: true technique: IIS Components tactic: - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1505.004 is_subtechnique: true technique: IIS Components tactic: - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505.004 is_subtechnique: true technique: IIS Components tactic: - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505.004 is_subtechnique: true technique: IIS Components tactic: - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1505.004 is_subtechnique: true technique: IIS Components tactic: - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1505.004 is_subtechnique: true technique: IIS Components tactic: - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505.004 is_subtechnique: true technique: IIS Components tactic: - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505.004 is_subtechnique: true technique: IIS Components tactic: - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1505.004 is_subtechnique: true technique: IIS Components tactic: - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1027.006 is_subtechnique: true technique: HTML Smuggling tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1027.006 is_subtechnique: true technique: HTML Smuggling tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1027.006 is_subtechnique: true technique: HTML Smuggling tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1027.006 is_subtechnique: true technique: HTML Smuggling tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1027.006 is_subtechnique: true technique: HTML Smuggling tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1027.006 is_subtechnique: true technique: HTML Smuggling tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1027.006 is_subtechnique: true technique: HTML Smuggling tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1553.006 is_subtechnique: true technique: Code Signing Policy Modification tactic: - defense-evasion platform: - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1614 is_subtechnique: .nan technique: System Location Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1614 is_subtechnique: .nan technique: System Location Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1614 is_subtechnique: .nan technique: System Location Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1614 is_subtechnique: .nan technique: System Location Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1614 is_subtechnique: .nan technique: System Location Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1614 is_subtechnique: .nan technique: System Location Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1614 is_subtechnique: .nan technique: System Location Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1614 is_subtechnique: .nan technique: System Location Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1614 is_subtechnique: .nan technique: System Location Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1614 is_subtechnique: .nan technique: System Location Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1614 is_subtechnique: .nan technique: System Location Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1614 is_subtechnique: .nan technique: System Location Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1614 is_subtechnique: .nan technique: System Location Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1614 is_subtechnique: .nan technique: System Location Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1614 is_subtechnique: .nan technique: System Location Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1614 is_subtechnique: .nan technique: System Location Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1614 is_subtechnique: .nan technique: System Location Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1614 is_subtechnique: .nan technique: System Location Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1614 is_subtechnique: .nan technique: System Location Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1614 is_subtechnique: .nan technique: System Location Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1614 is_subtechnique: .nan technique: System Location Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1611 is_subtechnique: .nan technique: Escape to Host tactic: - privilege-escalation platform: - Windows - Linux - Containers data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1611 is_subtechnique: .nan technique: Escape to Host tactic: - privilege-escalation platform: - Windows - Linux - Containers data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1611 is_subtechnique: .nan technique: Escape to Host tactic: - privilege-escalation platform: - Windows - Linux - Containers data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1611 is_subtechnique: .nan technique: Escape to Host tactic: - privilege-escalation platform: - Windows - Linux - Containers data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1611 is_subtechnique: .nan technique: Escape to Host tactic: - privilege-escalation platform: - Windows - Linux - Containers data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1611 is_subtechnique: .nan technique: Escape to Host tactic: - privilege-escalation platform: - Windows - Linux - Containers data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1611 is_subtechnique: .nan technique: Escape to Host tactic: - privilege-escalation platform: - Windows - Linux - Containers data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1611 is_subtechnique: .nan technique: Escape to Host tactic: - privilege-escalation platform: - Windows - Linux - Containers data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1611 is_subtechnique: .nan technique: Escape to Host tactic: - privilege-escalation platform: - Windows - Linux - Containers data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1611 is_subtechnique: .nan technique: Escape to Host tactic: - privilege-escalation platform: - Windows - Linux - Containers data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1611 is_subtechnique: .nan technique: Escape to Host tactic: - privilege-escalation platform: - Windows - Linux - Containers data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1611 is_subtechnique: .nan technique: Escape to Host tactic: - privilege-escalation platform: - Windows - Linux - Containers data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1016.001 is_subtechnique: true technique: Internet Connection Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1016.001 is_subtechnique: true technique: Internet Connection Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1016.001 is_subtechnique: true technique: Internet Connection Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1016.001 is_subtechnique: true technique: Internet Connection Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1016.001 is_subtechnique: true technique: Internet Connection Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1016.001 is_subtechnique: true technique: Internet Connection Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1016.001 is_subtechnique: true technique: Internet Connection Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1016.001 is_subtechnique: true technique: Internet Connection Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1016.001 is_subtechnique: true technique: Internet Connection Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1016.001 is_subtechnique: true technique: Internet Connection Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1016.001 is_subtechnique: true technique: Internet Connection Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1016.001 is_subtechnique: true technique: Internet Connection Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1016.001 is_subtechnique: true technique: Internet Connection Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1016.001 is_subtechnique: true technique: Internet Connection Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1016.001 is_subtechnique: true technique: Internet Connection Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1016.001 is_subtechnique: true technique: Internet Connection Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1016.001 is_subtechnique: true technique: Internet Connection Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1016.001 is_subtechnique: true technique: Internet Connection Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1016.001 is_subtechnique: true technique: Internet Connection Discovery tactic: - discovery platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1553.005 is_subtechnique: true technique: Mark-of-the-Web Bypass tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1553.005 is_subtechnique: true technique: Mark-of-the-Web Bypass tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553.005 is_subtechnique: true technique: Mark-of-the-Web Bypass tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553.005 is_subtechnique: true technique: Mark-of-the-Web Bypass tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1553.005 is_subtechnique: true technique: Mark-of-the-Web Bypass tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1555.005 is_subtechnique: true technique: Password Managers tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1555.005 is_subtechnique: true technique: Password Managers tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1555.005 is_subtechnique: true technique: Password Managers tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1555.005 is_subtechnique: true technique: Password Managers tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1555.005 is_subtechnique: true technique: Password Managers tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1555.005 is_subtechnique: true technique: Password Managers tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1555.005 is_subtechnique: true technique: Password Managers tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1555.005 is_subtechnique: true technique: Password Managers tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1555.005 is_subtechnique: true technique: Password Managers tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1555.005 is_subtechnique: true technique: Password Managers tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1555.005 is_subtechnique: true technique: Password Managers tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1555.005 is_subtechnique: true technique: Password Managers tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1555.005 is_subtechnique: true technique: Password Managers tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1555.005 is_subtechnique: true technique: Password Managers tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1555.005 is_subtechnique: true technique: Password Managers tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '10' event_name: Process Access. event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1555.005 is_subtechnique: true technique: Password Managers tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1555.005 is_subtechnique: true technique: Password Managers tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '10' event_name: ProcessAccess event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1555.005 is_subtechnique: true technique: Password Managers tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1555.005 is_subtechnique: true technique: Password Managers tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1555.005 is_subtechnique: true technique: Password Managers tactic: - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1555.005 is_subtechnique: true technique: Password Managers tactic: - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1555.005 is_subtechnique: true technique: Password Managers tactic: - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1555.005 is_subtechnique: true technique: Password Managers tactic: - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1555.005 is_subtechnique: true technique: Password Managers tactic: - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1484.002 is_subtechnique: true technique: Domain Trust Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5136' event_name: A directory service object was modified. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1484.002 is_subtechnique: true technique: Domain Trust Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5139' event_name: A directory service object was moved. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1484.002 is_subtechnique: true technique: Domain Trust Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '4719' event_name: System audit policy was changed. event_platform: windows audit_category: Policy Change audit_sub_category: Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1484.002 is_subtechnique: true technique: Domain Trust Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: active directory data_component: active directory object creation relationship_id: REL-2022-0136 name: User created AD Object source: user relationship: created target: ad object event_id: '5137' event_name: A directory service object was created. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1484.002 is_subtechnique: true technique: Domain Trust Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1484.002 is_subtechnique: true technique: Domain Trust Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1484.002 is_subtechnique: true technique: Domain Trust Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1484.002 is_subtechnique: true technique: Domain Trust Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1484.002 is_subtechnique: true technique: Domain Trust Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1484.002 is_subtechnique: true technique: Domain Trust Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1484.002 is_subtechnique: true technique: Domain Trust Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1484.002 is_subtechnique: true technique: Domain Trust Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1484.001 is_subtechnique: true technique: Group Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1484.001 is_subtechnique: true technique: Group Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1484.001 is_subtechnique: true technique: Group Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1484.001 is_subtechnique: true technique: Group Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1484.001 is_subtechnique: true technique: Group Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1484.001 is_subtechnique: true technique: Group Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1484.001 is_subtechnique: true technique: Group Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1484.001 is_subtechnique: true technique: Group Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1484.001 is_subtechnique: true technique: Group Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: active directory data_component: active directory object creation relationship_id: REL-2022-0136 name: User created AD Object source: user relationship: created target: ad object event_id: '5137' event_name: A directory service object was created. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1484.001 is_subtechnique: true technique: Group Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5136' event_name: A directory service object was modified. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1484.001 is_subtechnique: true technique: Group Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5139' event_name: A directory service object was moved. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1484.001 is_subtechnique: true technique: Group Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '4719' event_name: System audit policy was changed. event_platform: windows audit_category: Policy Change audit_sub_category: Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1484.001 is_subtechnique: true technique: Group Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: active directory data_component: active directory object deletion relationship_id: REL-2022-0063 name: User deleted AD Object source: user relationship: deleted target: ad object event_id: '5141' event_name: A directory service object was deleted. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: New registry value created - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1547.014 is_subtechnique: true technique: Active Setup tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4703' event_name: A token right was adjusted. event_platform: windows audit_category: Policy Change audit_sub_category: Authorization Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4673' event_name: A privileged service was called. event_platform: windows audit_category: Privilege Use audit_sub_category: Sensitive Privilege Use channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4674' event_name: An operation was attempted on a privileged object. event_platform: windows audit_category: Privilege Use audit_sub_category: Sensitive Privilege Use channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4610' event_name: An authentication package has been loaded by the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4611' event_name: A trusted logon process has been registered with the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4614' event_name: A notification package has been loaded by the Security Account Manager. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4622' event_name: A security package has been loaded by the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: user account data_component: user account authentication relationship_id: REL-2022-0122 name: User attempted to authenticate from Device source: user relationship: attempted to authenticate from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: user account data_component: user account authentication relationship_id: REL-2022-0163 name: User authenticated from Device source: user relationship: authenticated from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.002 is_subtechnique: true technique: SAML Tokens tactic: - credential-access platform: - Azure AD - SaaS - Windows - Office 365 - Google Workspace - IaaS data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1606.001 is_subtechnique: true technique: Web Cookies tactic: - credential-access platform: - Linux - macOS - Windows - SaaS - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.001 is_subtechnique: true technique: Web Cookies tactic: - credential-access platform: - Linux - macOS - Windows - SaaS - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.001 is_subtechnique: true technique: Web Cookies tactic: - credential-access platform: - Linux - macOS - Windows - SaaS - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1606.001 is_subtechnique: true technique: Web Cookies tactic: - credential-access platform: - Linux - macOS - Windows - SaaS - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.001 is_subtechnique: true technique: Web Cookies tactic: - credential-access platform: - Linux - macOS - Windows - SaaS - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1606.001 is_subtechnique: true technique: Web Cookies tactic: - credential-access platform: - Linux - macOS - Windows - SaaS - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.001 is_subtechnique: true technique: Web Cookies tactic: - credential-access platform: - Linux - macOS - Windows - SaaS - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.001 is_subtechnique: true technique: Web Cookies tactic: - credential-access platform: - Linux - macOS - Windows - SaaS - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606.001 is_subtechnique: true technique: Web Cookies tactic: - credential-access platform: - Linux - macOS - Windows - SaaS - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1606 is_subtechnique: .nan technique: Forge Web Credentials tactic: - credential-access platform: - SaaS - Windows - macOS - Linux - Azure AD - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606 is_subtechnique: .nan technique: Forge Web Credentials tactic: - credential-access platform: - SaaS - Windows - macOS - Linux - Azure AD - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606 is_subtechnique: .nan technique: Forge Web Credentials tactic: - credential-access platform: - SaaS - Windows - macOS - Linux - Azure AD - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1606 is_subtechnique: .nan technique: Forge Web Credentials tactic: - credential-access platform: - SaaS - Windows - macOS - Linux - Azure AD - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606 is_subtechnique: .nan technique: Forge Web Credentials tactic: - credential-access platform: - SaaS - Windows - macOS - Linux - Azure AD - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1606 is_subtechnique: .nan technique: Forge Web Credentials tactic: - credential-access platform: - SaaS - Windows - macOS - Linux - Azure AD - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606 is_subtechnique: .nan technique: Forge Web Credentials tactic: - credential-access platform: - SaaS - Windows - macOS - Linux - Azure AD - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606 is_subtechnique: .nan technique: Forge Web Credentials tactic: - credential-access platform: - SaaS - Windows - macOS - Linux - Azure AD - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1606 is_subtechnique: .nan technique: Forge Web Credentials tactic: - credential-access platform: - SaaS - Windows - macOS - Linux - Azure AD - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1555.004 is_subtechnique: true technique: Windows Credential Manager tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1555.004 is_subtechnique: true technique: Windows Credential Manager tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1555.004 is_subtechnique: true technique: Windows Credential Manager tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1555.004 is_subtechnique: true technique: Windows Credential Manager tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1555.004 is_subtechnique: true technique: Windows Credential Manager tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1555.004 is_subtechnique: true technique: Windows Credential Manager tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1555.004 is_subtechnique: true technique: Windows Credential Manager tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1555.004 is_subtechnique: true technique: Windows Credential Manager tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1555.004 is_subtechnique: true technique: Windows Credential Manager tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1555.004 is_subtechnique: true technique: Windows Credential Manager tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1555.004 is_subtechnique: true technique: Windows Credential Manager tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1555.004 is_subtechnique: true technique: Windows Credential Manager tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1555.004 is_subtechnique: true technique: Windows Credential Manager tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1555.004 is_subtechnique: true technique: Windows Credential Manager tactic: - credential-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1555.004 is_subtechnique: true technique: Windows Credential Manager tactic: - credential-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1555.004 is_subtechnique: true technique: Windows Credential Manager tactic: - credential-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1555.004 is_subtechnique: true technique: Windows Credential Manager tactic: - credential-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1555.004 is_subtechnique: true technique: Windows Credential Manager tactic: - credential-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1555.004 is_subtechnique: true technique: Windows Credential Manager tactic: - credential-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1555.004 is_subtechnique: true technique: Windows Credential Manager tactic: - credential-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1555.004 is_subtechnique: true technique: Windows Credential Manager tactic: - credential-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1555.004 is_subtechnique: true technique: Windows Credential Manager tactic: - credential-access platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1555.004 is_subtechnique: true technique: Windows Credential Manager tactic: - credential-access platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1053.006 is_subtechnique: true technique: Systemd Timers tactic: - execution - persistence - privilege-escalation platform: - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1053.006 is_subtechnique: true technique: Systemd Timers tactic: - execution - persistence - privilege-escalation platform: - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1053.006 is_subtechnique: true technique: Systemd Timers tactic: - execution - persistence - privilege-escalation platform: - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: driver data_component: driver load relationship_id: REL-2022-0126 name: Driver loaded source: driver relationship: loaded target: null event_id: '6' event_name: Driver loaded. event_platform: windows audit_category: DriverLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: driver data_component: driver load relationship_id: REL-2022-0126 name: Driver loaded source: driver relationship: loaded target: null event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: DriverLoaded - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1547.012 is_subtechnique: true technique: Print Processors tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.007 is_subtechnique: true technique: VBA Stomping tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1564.007 is_subtechnique: true technique: VBA Stomping tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1564.007 is_subtechnique: true technique: VBA Stomping tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1564.007 is_subtechnique: true technique: VBA Stomping tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1564.007 is_subtechnique: true technique: VBA Stomping tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1558.004 is_subtechnique: true technique: AS-REP Roasting tactic: - credential-access platform: - Windows data_source: active directory data_component: active directory credential request relationship_id: REL-2022-0100 name: User requested AD Credential source: user relationship: requested target: ad credential event_id: '4768' event_name: A Kerberos authentication ticket (TGT) was requested. event_platform: windows audit_category: Account Logon audit_sub_category: Kerberos Authentication Service channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558.004 is_subtechnique: true technique: AS-REP Roasting tactic: - credential-access platform: - Windows data_source: active directory data_component: active directory credential request relationship_id: REL-2022-0100 name: User requested AD Credential source: user relationship: requested target: ad credential event_id: '4769' event_name: A Kerberos service ticket was requested. event_platform: windows audit_category: Account Logon audit_sub_category: Kerberos Service Ticket Operations channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.012 is_subtechnique: true technique: Verclsid tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.012 is_subtechnique: true technique: Verclsid tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.012 is_subtechnique: true technique: Verclsid tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.012 is_subtechnique: true technique: Verclsid tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.012 is_subtechnique: true technique: Verclsid tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.012 is_subtechnique: true technique: Verclsid tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.012 is_subtechnique: true technique: Verclsid tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.012 is_subtechnique: true technique: Verclsid tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.012 is_subtechnique: true technique: Verclsid tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.012 is_subtechnique: true technique: Verclsid tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.012 is_subtechnique: true technique: Verclsid tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.012 is_subtechnique: true technique: Verclsid tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.012 is_subtechnique: true technique: Verclsid tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1218.012 is_subtechnique: true technique: Verclsid tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.012 is_subtechnique: true technique: Verclsid tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.012 is_subtechnique: true technique: Verclsid tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1205.001 is_subtechnique: true technique: Port Knocking tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: '4697' event_name: A service was installed in the system. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: '7045' event_name: A new service was installed in the system. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: Service Control Manager filter_in: .nan - technique_id: T1564.006 is_subtechnique: true technique: Run Virtual Instance tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ServiceInstalled - technique_id: T1564.005 is_subtechnique: true technique: Hidden File System tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.005 is_subtechnique: true technique: Hidden File System tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.005 is_subtechnique: true technique: Hidden File System tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1564.005 is_subtechnique: true technique: Hidden File System tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.005 is_subtechnique: true technique: Hidden File System tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1564.005 is_subtechnique: true technique: Hidden File System tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1564.005 is_subtechnique: true technique: Hidden File System tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1564.005 is_subtechnique: true technique: Hidden File System tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.005 is_subtechnique: true technique: Hidden File System tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1564.005 is_subtechnique: true technique: Hidden File System tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.005 is_subtechnique: true technique: Hidden File System tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1564.005 is_subtechnique: true technique: Hidden File System tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1564.005 is_subtechnique: true technique: Hidden File System tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.005 is_subtechnique: true technique: Hidden File System tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1564.005 is_subtechnique: true technique: Hidden File System tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.005 is_subtechnique: true technique: Hidden File System tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.005 is_subtechnique: true technique: Hidden File System tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.005 is_subtechnique: true technique: Hidden File System tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1564.005 is_subtechnique: true technique: Hidden File System tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.012 is_subtechnique: true technique: COR_PROFILER tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1098.004 is_subtechnique: true technique: SSH Authorized Keys tactic: - persistence platform: - Linux - macOS - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1098.004 is_subtechnique: true technique: SSH Authorized Keys tactic: - persistence platform: - Linux - macOS - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1098.004 is_subtechnique: true technique: SSH Authorized Keys tactic: - persistence platform: - Linux - macOS - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1480.001 is_subtechnique: true technique: Environmental Keying tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1480.001 is_subtechnique: true technique: Environmental Keying tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1480.001 is_subtechnique: true technique: Environmental Keying tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1480.001 is_subtechnique: true technique: Environmental Keying tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1480.001 is_subtechnique: true technique: Environmental Keying tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1480.001 is_subtechnique: true technique: Environmental Keying tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1480.001 is_subtechnique: true technique: Environmental Keying tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1480.001 is_subtechnique: true technique: Environmental Keying tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1480.001 is_subtechnique: true technique: Environmental Keying tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1480.001 is_subtechnique: true technique: Environmental Keying tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1480.001 is_subtechnique: true technique: Environmental Keying tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1480.001 is_subtechnique: true technique: Environmental Keying tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1480.001 is_subtechnique: true technique: Environmental Keying tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1480.001 is_subtechnique: true technique: Environmental Keying tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1480.001 is_subtechnique: true technique: Environmental Keying tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1480.001 is_subtechnique: true technique: Environmental Keying tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1480.001 is_subtechnique: true technique: Environmental Keying tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1480.001 is_subtechnique: true technique: Environmental Keying tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1480.001 is_subtechnique: true technique: Environmental Keying tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.007 is_subtechnique: true technique: JavaScript tactic: - execution platform: - Windows - macOS - Linux data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1127.001 is_subtechnique: true technique: MSBuild tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1127.001 is_subtechnique: true technique: MSBuild tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1127.001 is_subtechnique: true technique: MSBuild tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1127.001 is_subtechnique: true technique: MSBuild tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1127.001 is_subtechnique: true technique: MSBuild tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1127.001 is_subtechnique: true technique: MSBuild tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1127.001 is_subtechnique: true technique: MSBuild tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1127.001 is_subtechnique: true technique: MSBuild tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1127.001 is_subtechnique: true technique: MSBuild tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1127.001 is_subtechnique: true technique: MSBuild tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1127.001 is_subtechnique: true technique: MSBuild tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1127.001 is_subtechnique: true technique: MSBuild tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1127.001 is_subtechnique: true technique: MSBuild tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1127.001 is_subtechnique: true technique: MSBuild tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1127.001 is_subtechnique: true technique: MSBuild tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1127.001 is_subtechnique: true technique: MSBuild tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1100' event_name: The event logging service has shut down. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1101' event_name: Audit events have been dropped by the transport. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1102' event_name: The audit log was cleared. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1104' event_name: The security Log is now full. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4616' event_name: The system time was changed. event_platform: windows audit_category: System audit_sub_category: Security State Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1562.006 is_subtechnique: true technique: Indicator Blocking tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1027.004 is_subtechnique: true technique: Compile After Delivery tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.015 is_subtechnique: true technique: Component Object Model Hijacking tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1572 is_subtechnique: .nan technique: Protocol Tunneling tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1048.003 is_subtechnique: true technique: Exfiltration Over Unencrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1048.002 is_subtechnique: true technique: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1048.001 is_subtechnique: true technique: Exfiltration Over Symmetric Encrypted Non-C2 Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1090.003 is_subtechnique: true technique: Multi-hop Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1090.002 is_subtechnique: true technique: External Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1090.001 is_subtechnique: true technique: Internal Proxy tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1102.003 is_subtechnique: true technique: One-Way Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1102.002 is_subtechnique: true technique: Bidirectional Communication tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1074.002 is_subtechnique: true technique: Remote Data Staging tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1074.002 is_subtechnique: true technique: Remote Data Staging tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1074.002 is_subtechnique: true technique: Remote Data Staging tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1074.002 is_subtechnique: true technique: Remote Data Staging tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1074.002 is_subtechnique: true technique: Remote Data Staging tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1074.002 is_subtechnique: true technique: Remote Data Staging tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1074.002 is_subtechnique: true technique: Remote Data Staging tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1074.002 is_subtechnique: true technique: Remote Data Staging tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1074.002 is_subtechnique: true technique: Remote Data Staging tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1074.002 is_subtechnique: true technique: Remote Data Staging tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1074.002 is_subtechnique: true technique: Remote Data Staging tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1074.002 is_subtechnique: true technique: Remote Data Staging tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1074.002 is_subtechnique: true technique: Remote Data Staging tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1074.002 is_subtechnique: true technique: Remote Data Staging tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1074.002 is_subtechnique: true technique: Remote Data Staging tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1074.002 is_subtechnique: true technique: Remote Data Staging tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1074.002 is_subtechnique: true technique: Remote Data Staging tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1074.002 is_subtechnique: true technique: Remote Data Staging tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1074.002 is_subtechnique: true technique: Remote Data Staging tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1074.002 is_subtechnique: true technique: Remote Data Staging tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1074.002 is_subtechnique: true technique: Remote Data Staging tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1074.001 is_subtechnique: true technique: Local Data Staging tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.004 is_subtechnique: true technique: NTFS File Attributes tactic: - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.004 is_subtechnique: true technique: NTFS File Attributes tactic: - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1564.004 is_subtechnique: true technique: NTFS File Attributes tactic: - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.004 is_subtechnique: true technique: NTFS File Attributes tactic: - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.004 is_subtechnique: true technique: NTFS File Attributes tactic: - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.004 is_subtechnique: true technique: NTFS File Attributes tactic: - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1564.004 is_subtechnique: true technique: NTFS File Attributes tactic: - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1564.004 is_subtechnique: true technique: NTFS File Attributes tactic: - defense-evasion platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.004 is_subtechnique: true technique: NTFS File Attributes tactic: - defense-evasion platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1564.004 is_subtechnique: true technique: NTFS File Attributes tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.004 is_subtechnique: true technique: NTFS File Attributes tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.004 is_subtechnique: true technique: NTFS File Attributes tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1564.004 is_subtechnique: true technique: NTFS File Attributes tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1564.004 is_subtechnique: true technique: NTFS File Attributes tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.004 is_subtechnique: true technique: NTFS File Attributes tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.004 is_subtechnique: true technique: NTFS File Attributes tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1564.004 is_subtechnique: true technique: NTFS File Attributes tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1564.003 is_subtechnique: true technique: Hidden Window tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0122 name: User attempted to authenticate from Device source: user relationship: attempted to authenticate from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0163 name: User authenticated from Device source: user relationship: authenticated from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4703' event_name: A token right was adjusted. event_platform: windows audit_category: Policy Change audit_sub_category: Authorization Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4673' event_name: A privileged service was called. event_platform: windows audit_category: Privilege Use audit_sub_category: Sensitive Privilege Use channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4674' event_name: An operation was attempted on a privileged object. event_platform: windows audit_category: Privilege Use audit_sub_category: Sensitive Privilege Use channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4610' event_name: An authentication package has been loaded by the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4611' event_name: A trusted logon process has been registered with the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4614' event_name: A notification package has been loaded by the Security Account Manager. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.003 is_subtechnique: true technique: Local Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows - Containers data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4622' event_name: A security package has been loaded by the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4703' event_name: A token right was adjusted. event_platform: windows audit_category: Policy Change audit_sub_category: Authorization Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4673' event_name: A privileged service was called. event_platform: windows audit_category: Privilege Use audit_sub_category: Sensitive Privilege Use channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4674' event_name: An operation was attempted on a privileged object. event_platform: windows audit_category: Privilege Use audit_sub_category: Sensitive Privilege Use channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4610' event_name: An authentication package has been loaded by the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4611' event_name: A trusted logon process has been registered with the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4614' event_name: A notification package has been loaded by the Security Account Manager. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4622' event_name: A security package has been loaded by the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0122 name: User attempted to authenticate from Device source: user relationship: attempted to authenticate from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0163 name: User authenticated from Device source: user relationship: authenticated from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.002 is_subtechnique: true technique: Domain Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Linux - macOS - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1078.001 is_subtechnique: true technique: Default Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.001 is_subtechnique: true technique: Default Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.001 is_subtechnique: true technique: Default Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1078.001 is_subtechnique: true technique: Default Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.001 is_subtechnique: true technique: Default Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1078.001 is_subtechnique: true technique: Default Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.001 is_subtechnique: true technique: Default Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.001 is_subtechnique: true technique: Default Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.001 is_subtechnique: true technique: Default Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1078.001 is_subtechnique: true technique: Default Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.001 is_subtechnique: true technique: Default Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.001 is_subtechnique: true technique: Default Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.001 is_subtechnique: true technique: Default Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1078.001 is_subtechnique: true technique: Default Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0122 name: User attempted to authenticate from Device source: user relationship: attempted to authenticate from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.001 is_subtechnique: true technique: Default Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0163 name: User authenticated from Device source: user relationship: authenticated from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.001 is_subtechnique: true technique: Default Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.001 is_subtechnique: true technique: Default Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.001 is_subtechnique: true technique: Default Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078.001 is_subtechnique: true technique: Default Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: user account data_component: user account creation relationship_id: REL-2022-0002 name: User created User source: user relationship: created target: user event_id: '4720' event_name: A user account was created. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: user account data_component: user account creation relationship_id: REL-2022-0002 name: User created User source: user relationship: created target: user event_id: '4741' event_name: A computer account was created. event_platform: windows audit_category: Account Management audit_sub_category: Computer Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: user account data_component: user account creation relationship_id: REL-2022-0002 name: User created User source: user relationship: created target: user event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: UserAccountCreated - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1564.002 is_subtechnique: true technique: Hidden Users tactic: - defense-evasion platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1574.006 is_subtechnique: true technique: Dynamic Linker Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1574.006 is_subtechnique: true technique: Dynamic Linker Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1574.006 is_subtechnique: true technique: Dynamic Linker Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1574.006 is_subtechnique: true technique: Dynamic Linker Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1574.006 is_subtechnique: true technique: Dynamic Linker Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1574.002 is_subtechnique: true technique: DLL Side-Loading tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1574.002 is_subtechnique: true technique: DLL Side-Loading tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.002 is_subtechnique: true technique: DLL Side-Loading tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.002 is_subtechnique: true technique: DLL Side-Loading tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1574.002 is_subtechnique: true technique: DLL Side-Loading tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.002 is_subtechnique: true technique: DLL Side-Loading tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.002 is_subtechnique: true technique: DLL Side-Loading tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1574.002 is_subtechnique: true technique: DLL Side-Loading tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.002 is_subtechnique: true technique: DLL Side-Loading tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.002 is_subtechnique: true technique: DLL Side-Loading tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.002 is_subtechnique: true technique: DLL Side-Loading tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1574.002 is_subtechnique: true technique: DLL Side-Loading tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1574.002 is_subtechnique: true technique: DLL Side-Loading tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.002 is_subtechnique: true technique: DLL Side-Loading tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1574.002 is_subtechnique: true technique: DLL Side-Loading tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.002 is_subtechnique: true technique: DLL Side-Loading tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1574.002 is_subtechnique: true technique: DLL Side-Loading tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.002 is_subtechnique: true technique: DLL Side-Loading tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.002 is_subtechnique: true technique: DLL Side-Loading tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1574.002 is_subtechnique: true technique: DLL Side-Loading tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.002 is_subtechnique: true technique: DLL Side-Loading tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1574.002 is_subtechnique: true technique: DLL Side-Loading tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.002 is_subtechnique: true technique: DLL Side-Loading tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.002 is_subtechnique: true technique: DLL Side-Loading tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1574.001 is_subtechnique: true technique: DLL Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.001 is_subtechnique: true technique: DLL Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1574.001 is_subtechnique: true technique: DLL Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.001 is_subtechnique: true technique: DLL Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1574.001 is_subtechnique: true technique: DLL Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.001 is_subtechnique: true technique: DLL Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1574.001 is_subtechnique: true technique: DLL Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.001 is_subtechnique: true technique: DLL Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.001 is_subtechnique: true technique: DLL Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.001 is_subtechnique: true technique: DLL Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1574.001 is_subtechnique: true technique: DLL Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1574.001 is_subtechnique: true technique: DLL Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1574.001 is_subtechnique: true technique: DLL Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.001 is_subtechnique: true technique: DLL Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.001 is_subtechnique: true technique: DLL Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1574.001 is_subtechnique: true technique: DLL Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.008 is_subtechnique: true technique: Path Interception by Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1574.008 is_subtechnique: true technique: Path Interception by Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.008 is_subtechnique: true technique: Path Interception by Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.008 is_subtechnique: true technique: Path Interception by Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1574.008 is_subtechnique: true technique: Path Interception by Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.008 is_subtechnique: true technique: Path Interception by Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.008 is_subtechnique: true technique: Path Interception by Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1574.008 is_subtechnique: true technique: Path Interception by Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.008 is_subtechnique: true technique: Path Interception by Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.008 is_subtechnique: true technique: Path Interception by Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.008 is_subtechnique: true technique: Path Interception by Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1574.008 is_subtechnique: true technique: Path Interception by Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1574.008 is_subtechnique: true technique: Path Interception by Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.008 is_subtechnique: true technique: Path Interception by Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.008 is_subtechnique: true technique: Path Interception by Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1574.008 is_subtechnique: true technique: Path Interception by Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.008 is_subtechnique: true technique: Path Interception by Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1574.008 is_subtechnique: true technique: Path Interception by Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.008 is_subtechnique: true technique: Path Interception by Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.008 is_subtechnique: true technique: Path Interception by Search Order Hijacking tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1574.007 is_subtechnique: true technique: Path Interception by PATH Environment Variable tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.009 is_subtechnique: true technique: Path Interception by Unquoted Path tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1574.009 is_subtechnique: true technique: Path Interception by Unquoted Path tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.009 is_subtechnique: true technique: Path Interception by Unquoted Path tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.009 is_subtechnique: true technique: Path Interception by Unquoted Path tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1574.009 is_subtechnique: true technique: Path Interception by Unquoted Path tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.009 is_subtechnique: true technique: Path Interception by Unquoted Path tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.009 is_subtechnique: true technique: Path Interception by Unquoted Path tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1574.009 is_subtechnique: true technique: Path Interception by Unquoted Path tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.009 is_subtechnique: true technique: Path Interception by Unquoted Path tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.009 is_subtechnique: true technique: Path Interception by Unquoted Path tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.009 is_subtechnique: true technique: Path Interception by Unquoted Path tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1574.009 is_subtechnique: true technique: Path Interception by Unquoted Path tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1574.009 is_subtechnique: true technique: Path Interception by Unquoted Path tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.009 is_subtechnique: true technique: Path Interception by Unquoted Path tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.009 is_subtechnique: true technique: Path Interception by Unquoted Path tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1574.009 is_subtechnique: true technique: Path Interception by Unquoted Path tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.009 is_subtechnique: true technique: Path Interception by Unquoted Path tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1574.009 is_subtechnique: true technique: Path Interception by Unquoted Path tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.009 is_subtechnique: true technique: Path Interception by Unquoted Path tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.009 is_subtechnique: true technique: Path Interception by Unquoted Path tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.011 is_subtechnique: true technique: Services Registry Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: service data_component: service metadata relationship_id: REL-2022-0094 name: Service stopped source: service relationship: stopped target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: service data_component: service metadata relationship_id: REL-2022-0094 name: Service stopped source: service relationship: stopped target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: service data_component: service metadata relationship_id: REL-2022-0184 name: Service started source: service relationship: started target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: service data_component: service metadata relationship_id: REL-2022-0184 name: Service started source: service relationship: started target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.005 is_subtechnique: true technique: Executable Installer File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1574.010 is_subtechnique: true technique: Services File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.010 is_subtechnique: true technique: Services File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1574.010 is_subtechnique: true technique: Services File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.010 is_subtechnique: true technique: Services File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.010 is_subtechnique: true technique: Services File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.010 is_subtechnique: true technique: Services File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1574.010 is_subtechnique: true technique: Services File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1574.010 is_subtechnique: true technique: Services File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1574.010 is_subtechnique: true technique: Services File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.010 is_subtechnique: true technique: Services File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.010 is_subtechnique: true technique: Services File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1574.010 is_subtechnique: true technique: Services File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.010 is_subtechnique: true technique: Services File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.010 is_subtechnique: true technique: Services File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.010 is_subtechnique: true technique: Services File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1574.010 is_subtechnique: true technique: Services File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.010 is_subtechnique: true technique: Services File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1574.010 is_subtechnique: true technique: Services File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574.010 is_subtechnique: true technique: Services File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.010 is_subtechnique: true technique: Services File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1574.010 is_subtechnique: true technique: Services File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: service data_component: service metadata relationship_id: REL-2022-0094 name: Service stopped source: service relationship: stopped target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.010 is_subtechnique: true technique: Services File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: service data_component: service metadata relationship_id: REL-2022-0094 name: Service stopped source: service relationship: stopped target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1574.010 is_subtechnique: true technique: Services File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: service data_component: service metadata relationship_id: REL-2022-0184 name: Service started source: service relationship: started target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574.010 is_subtechnique: true technique: Services File Permissions Weakness tactic: - persistence - privilege-escalation - defense-evasion platform: - Windows data_source: service data_component: service metadata relationship_id: REL-2022-0184 name: Service started source: service relationship: started target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: service data_component: service metadata relationship_id: REL-2022-0094 name: Service stopped source: service relationship: stopped target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: service data_component: service metadata relationship_id: REL-2022-0094 name: Service stopped source: service relationship: stopped target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: service data_component: service metadata relationship_id: REL-2022-0184 name: Service started source: service relationship: started target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: service data_component: service metadata relationship_id: REL-2022-0184 name: Service started source: service relationship: started target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1574 is_subtechnique: false technique: Hijack Execution Flow tactic: - persistence - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1069.001 is_subtechnique: true technique: Local Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1069.001 is_subtechnique: true technique: Local Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1069.001 is_subtechnique: true technique: Local Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1069.001 is_subtechnique: true technique: Local Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1069.001 is_subtechnique: true technique: Local Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1069.001 is_subtechnique: true technique: Local Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1069.001 is_subtechnique: true technique: Local Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1069.001 is_subtechnique: true technique: Local Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1069.001 is_subtechnique: true technique: Local Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1069.001 is_subtechnique: true technique: Local Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1069.001 is_subtechnique: true technique: Local Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1069.001 is_subtechnique: true technique: Local Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1069.001 is_subtechnique: true technique: Local Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1069.001 is_subtechnique: true technique: Local Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1069.001 is_subtechnique: true technique: Local Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1069.001 is_subtechnique: true technique: Local Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1069.001 is_subtechnique: true technique: Local Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1069.001 is_subtechnique: true technique: Local Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1069.001 is_subtechnique: true technique: Local Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: named pipe data_component: named pipe metadata relationship_id: REL-2022-0060 name: Process connected to Pipe source: process relationship: connected to target: pipe event_id: '18' event_name: PipeEvent (Pipe Connected). event_platform: windows audit_category: PipeEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: named pipe data_component: named pipe metadata relationship_id: REL-2022-0093 name: Process created Pipe source: process relationship: created target: pipe event_id: '17' event_name: PipeEvent (Pipe Created). event_platform: windows audit_category: PipeEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: named pipe data_component: named pipe metadata relationship_id: REL-2022-0093 name: Process created Pipe source: process relationship: created target: pipe event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Detailed File Share channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: named pipe data_component: named pipe metadata relationship_id: REL-2022-0098 name: User connected to Pipe source: user relationship: connected to target: pipe event_id: '18' event_name: PipeEvent (Pipe Connected). event_platform: windows audit_category: PipeEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: named pipe data_component: named pipe metadata relationship_id: REL-2022-0129 name: User created Pipe source: user relationship: created target: pipe event_id: '17' event_name: PipeEvent (Pipe Created). event_platform: windows audit_category: PipeEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: named pipe data_component: named pipe metadata relationship_id: REL-2022-0129 name: User created Pipe source: user relationship: created target: pipe event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: named pipe data_component: named pipe metadata relationship_id: REL-2022-0129 name: User created Pipe source: user relationship: created target: pipe event_id: '5145' event_name: A network share object was checked to see whether client can be granted desired access. event_platform: windows audit_category: Object Access audit_sub_category: Detailed File Share channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network share data_component: network share access relationship_id: REL-2022-0078 name: User attempted to access Network Share source: user relationship: attempted to access target: network share event_id: '5140' event_name: A network share object was accessed. event_platform: windows audit_category: Object Access audit_sub_category: File Share channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network share data_component: network share access relationship_id: REL-2022-0078 name: User attempted to access Network Share source: user relationship: attempted to access target: network share event_id: '5145' event_name: A network share object was checked to see whether client can be granted desired access. event_platform: windows audit_category: Object Access audit_sub_category: Detailed File Share channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network share data_component: network share access relationship_id: REL-2022-0078 name: User attempted to access Network Share source: user relationship: attempted to access target: network share event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1570 is_subtechnique: false technique: Lateral Tool Transfer tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1204.002 is_subtechnique: true technique: Malicious File tactic: - execution platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.002 is_subtechnique: true technique: Malicious File tactic: - execution platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204.002 is_subtechnique: true technique: Malicious File tactic: - execution platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204.002 is_subtechnique: true technique: Malicious File tactic: - execution platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1204.002 is_subtechnique: true technique: Malicious File tactic: - execution platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204.002 is_subtechnique: true technique: Malicious File tactic: - execution platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1204.002 is_subtechnique: true technique: Malicious File tactic: - execution platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.002 is_subtechnique: true technique: Malicious File tactic: - execution platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204.002 is_subtechnique: true technique: Malicious File tactic: - execution platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204.002 is_subtechnique: true technique: Malicious File tactic: - execution platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1204.002 is_subtechnique: true technique: Malicious File tactic: - execution platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204.002 is_subtechnique: true technique: Malicious File tactic: - execution platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1204.002 is_subtechnique: true technique: Malicious File tactic: - execution platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.002 is_subtechnique: true technique: Malicious File tactic: - execution platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204.002 is_subtechnique: true technique: Malicious File tactic: - execution platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204.002 is_subtechnique: true technique: Malicious File tactic: - execution platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1204.002 is_subtechnique: true technique: Malicious File tactic: - execution platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1204.001 is_subtechnique: true technique: Malicious Link tactic: - execution platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1195.003 is_subtechnique: true technique: Compromise Hardware Supply Chain tactic: - initial-access platform: - Linux - macOS - Windows data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1195.003 is_subtechnique: true technique: Compromise Hardware Supply Chain tactic: - initial-access platform: - Linux - macOS - Windows data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1100' event_name: The event logging service has shut down. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1195.003 is_subtechnique: true technique: Compromise Hardware Supply Chain tactic: - initial-access platform: - Linux - macOS - Windows data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1101' event_name: Audit events have been dropped by the transport. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1195.003 is_subtechnique: true technique: Compromise Hardware Supply Chain tactic: - initial-access platform: - Linux - macOS - Windows data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1102' event_name: The audit log was cleared. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1195.003 is_subtechnique: true technique: Compromise Hardware Supply Chain tactic: - initial-access platform: - Linux - macOS - Windows data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1104' event_name: The security Log is now full. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1195.003 is_subtechnique: true technique: Compromise Hardware Supply Chain tactic: - initial-access platform: - Linux - macOS - Windows data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1195.003 is_subtechnique: true technique: Compromise Hardware Supply Chain tactic: - initial-access platform: - Linux - macOS - Windows data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1195.003 is_subtechnique: true technique: Compromise Hardware Supply Chain tactic: - initial-access platform: - Linux - macOS - Windows data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4616' event_name: The system time was changed. event_platform: windows audit_category: System audit_sub_category: Security State Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1568.001 is_subtechnique: true technique: Fast Flux DNS tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: drive data_component: drive creation relationship_id: REL-2022-0069 name: User attempted to install Drive source: user relationship: attempted to install target: drive event_id: '6423' event_name: The installation of this device is forbidden by system policy. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: drive data_component: drive creation relationship_id: REL-2022-0114 name: User installed Drive source: user relationship: installed target: drive event_id: '6416' event_name: A new external device was recognized by the system. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: drive data_component: drive creation relationship_id: REL-2022-0114 name: User installed Drive source: user relationship: installed target: drive event_id: '6424' event_name: The installation of this device was allowed, after having previously been forbidden by policy. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1052.001 is_subtechnique: true technique: Exfiltration over USB tactic: - exfiltration platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: '4697' event_name: A service was installed in the system. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: '7045' event_name: A new service was installed in the system. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: Service Control Manager filter_in: .nan - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ServiceInstalled - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1569.002 is_subtechnique: true technique: Service Execution tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: '4697' event_name: A service was installed in the system. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: '7045' event_name: A new service was installed in the system. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: Service Control Manager filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ServiceInstalled - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1569 is_subtechnique: .nan technique: System Services tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1568 is_subtechnique: .nan technique: Dynamic Resolution tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1011.001 is_subtechnique: true technique: Exfiltration Over Bluetooth tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1567.002 is_subtechnique: true technique: Exfiltration to Cloud Storage tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1567.002 is_subtechnique: true technique: Exfiltration to Cloud Storage tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1567.002 is_subtechnique: true technique: Exfiltration to Cloud Storage tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1567.002 is_subtechnique: true technique: Exfiltration to Cloud Storage tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1567.002 is_subtechnique: true technique: Exfiltration to Cloud Storage tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1567.002 is_subtechnique: true technique: Exfiltration to Cloud Storage tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1567.002 is_subtechnique: true technique: Exfiltration to Cloud Storage tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1567.002 is_subtechnique: true technique: Exfiltration to Cloud Storage tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1567.002 is_subtechnique: true technique: Exfiltration to Cloud Storage tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1567.002 is_subtechnique: true technique: Exfiltration to Cloud Storage tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1567.002 is_subtechnique: true technique: Exfiltration to Cloud Storage tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1567.002 is_subtechnique: true technique: Exfiltration to Cloud Storage tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1567.002 is_subtechnique: true technique: Exfiltration to Cloud Storage tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1567.002 is_subtechnique: true technique: Exfiltration to Cloud Storage tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1567.001 is_subtechnique: true technique: Exfiltration to Code Repository tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1567.001 is_subtechnique: true technique: Exfiltration to Code Repository tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1567.001 is_subtechnique: true technique: Exfiltration to Code Repository tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1567.001 is_subtechnique: true technique: Exfiltration to Code Repository tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1567.001 is_subtechnique: true technique: Exfiltration to Code Repository tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1567.001 is_subtechnique: true technique: Exfiltration to Code Repository tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1567.001 is_subtechnique: true technique: Exfiltration to Code Repository tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1567.001 is_subtechnique: true technique: Exfiltration to Code Repository tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1567.001 is_subtechnique: true technique: Exfiltration to Code Repository tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1567.001 is_subtechnique: true technique: Exfiltration to Code Repository tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1567.001 is_subtechnique: true technique: Exfiltration to Code Repository tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1567.001 is_subtechnique: true technique: Exfiltration to Code Repository tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1567.001 is_subtechnique: true technique: Exfiltration to Code Repository tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1567.001 is_subtechnique: true technique: Exfiltration to Code Repository tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059.006 is_subtechnique: true technique: Python tactic: - execution platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059.006 is_subtechnique: true technique: Python tactic: - execution platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.006 is_subtechnique: true technique: Python tactic: - execution platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1059.006 is_subtechnique: true technique: Python tactic: - execution platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059.006 is_subtechnique: true technique: Python tactic: - execution platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.006 is_subtechnique: true technique: Python tactic: - execution platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1059.006 is_subtechnique: true technique: Python tactic: - execution platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059.006 is_subtechnique: true technique: Python tactic: - execution platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.006 is_subtechnique: true technique: Python tactic: - execution platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1059.006 is_subtechnique: true technique: Python tactic: - execution platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059.006 is_subtechnique: true technique: Python tactic: - execution platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059.006 is_subtechnique: true technique: Python tactic: - execution platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.006 is_subtechnique: true technique: Python tactic: - execution platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1059.006 is_subtechnique: true technique: Python tactic: - execution platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059.006 is_subtechnique: true technique: Python tactic: - execution platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059.006 is_subtechnique: true technique: Python tactic: - execution platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.006 is_subtechnique: true technique: Python tactic: - execution platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1059.006 is_subtechnique: true technique: Python tactic: - execution platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1059.006 is_subtechnique: true technique: Python tactic: - execution platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1059.005 is_subtechnique: true technique: Visual Basic tactic: - execution platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059.004 is_subtechnique: true technique: Unix Shell tactic: - execution platform: - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1059.004 is_subtechnique: true technique: Unix Shell tactic: - execution platform: - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1059.004 is_subtechnique: true technique: Unix Shell tactic: - execution platform: - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1059.003 is_subtechnique: true technique: Windows Command Shell tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059.003 is_subtechnique: true technique: Windows Command Shell tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.003 is_subtechnique: true technique: Windows Command Shell tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1059.003 is_subtechnique: true technique: Windows Command Shell tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059.003 is_subtechnique: true technique: Windows Command Shell tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059.003 is_subtechnique: true technique: Windows Command Shell tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.003 is_subtechnique: true technique: Windows Command Shell tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1059.003 is_subtechnique: true technique: Windows Command Shell tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059.003 is_subtechnique: true technique: Windows Command Shell tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059.003 is_subtechnique: true technique: Windows Command Shell tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.003 is_subtechnique: true technique: Windows Command Shell tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059.003 is_subtechnique: true technique: Windows Command Shell tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.003 is_subtechnique: true technique: Windows Command Shell tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1059.003 is_subtechnique: true technique: Windows Command Shell tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059.003 is_subtechnique: true technique: Windows Command Shell tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.003 is_subtechnique: true technique: Windows Command Shell tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: process data_component: process metadata relationship_id: REL-2022-0029 name: Process terminated source: process relationship: terminated target: null event_id: '5' event_name: Process terminated. event_platform: windows audit_category: ProcessTerminate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: process data_component: process metadata relationship_id: REL-2022-0073 name: Process searched LDAP source: process relationship: searched target: ldap event_id: '30' event_name: EventID(30) event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-LDAP-Client/Debug filter_in: .nan - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: process data_component: process metadata relationship_id: REL-2022-0073 name: Process searched LDAP source: process relationship: searched target: ldap event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LdapSearch - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1059.001 is_subtechnique: true technique: PowerShell tactic: - execution platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1567 is_subtechnique: .nan technique: Exfiltration Over Web Service tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1567 is_subtechnique: .nan technique: Exfiltration Over Web Service tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1567 is_subtechnique: .nan technique: Exfiltration Over Web Service tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1567 is_subtechnique: .nan technique: Exfiltration Over Web Service tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1567 is_subtechnique: .nan technique: Exfiltration Over Web Service tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1567 is_subtechnique: .nan technique: Exfiltration Over Web Service tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1567 is_subtechnique: .nan technique: Exfiltration Over Web Service tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1567 is_subtechnique: .nan technique: Exfiltration Over Web Service tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1567 is_subtechnique: .nan technique: Exfiltration Over Web Service tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1567 is_subtechnique: .nan technique: Exfiltration Over Web Service tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1567 is_subtechnique: .nan technique: Exfiltration Over Web Service tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1567 is_subtechnique: .nan technique: Exfiltration Over Web Service tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1567 is_subtechnique: .nan technique: Exfiltration Over Web Service tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1567 is_subtechnique: .nan technique: Exfiltration Over Web Service tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1497.003 is_subtechnique: true technique: Time Based Evasion tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1497.003 is_subtechnique: true technique: Time Based Evasion tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1497.003 is_subtechnique: true technique: Time Based Evasion tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1497.003 is_subtechnique: true technique: Time Based Evasion tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1497.003 is_subtechnique: true technique: Time Based Evasion tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1497.003 is_subtechnique: true technique: Time Based Evasion tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1497.003 is_subtechnique: true technique: Time Based Evasion tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1497.003 is_subtechnique: true technique: Time Based Evasion tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1497.003 is_subtechnique: true technique: Time Based Evasion tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1497.003 is_subtechnique: true technique: Time Based Evasion tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1497.003 is_subtechnique: true technique: Time Based Evasion tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1497.003 is_subtechnique: true technique: Time Based Evasion tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1497.003 is_subtechnique: true technique: Time Based Evasion tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1497.003 is_subtechnique: true technique: Time Based Evasion tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1497.003 is_subtechnique: true technique: Time Based Evasion tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1497.003 is_subtechnique: true technique: Time Based Evasion tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1497.003 is_subtechnique: true technique: Time Based Evasion tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1497.003 is_subtechnique: true technique: Time Based Evasion tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1497.003 is_subtechnique: true technique: Time Based Evasion tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1497.003 is_subtechnique: true technique: Time Based Evasion tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1497.003 is_subtechnique: true technique: Time Based Evasion tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1497.002 is_subtechnique: true technique: User Activity Based Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1497.002 is_subtechnique: true technique: User Activity Based Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1497.002 is_subtechnique: true technique: User Activity Based Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1497.002 is_subtechnique: true technique: User Activity Based Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1497.002 is_subtechnique: true technique: User Activity Based Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1497.002 is_subtechnique: true technique: User Activity Based Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1497.002 is_subtechnique: true technique: User Activity Based Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1497.002 is_subtechnique: true technique: User Activity Based Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1497.002 is_subtechnique: true technique: User Activity Based Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1497.002 is_subtechnique: true technique: User Activity Based Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1497.002 is_subtechnique: true technique: User Activity Based Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1497.002 is_subtechnique: true technique: User Activity Based Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1497.002 is_subtechnique: true technique: User Activity Based Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1497.002 is_subtechnique: true technique: User Activity Based Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1497.002 is_subtechnique: true technique: User Activity Based Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1497.002 is_subtechnique: true technique: User Activity Based Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1497.002 is_subtechnique: true technique: User Activity Based Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1497.002 is_subtechnique: true technique: User Activity Based Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1497.002 is_subtechnique: true technique: User Activity Based Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1497.002 is_subtechnique: true technique: User Activity Based Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1497.002 is_subtechnique: true technique: User Activity Based Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1497.001 is_subtechnique: true technique: System Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1497.001 is_subtechnique: true technique: System Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1497.001 is_subtechnique: true technique: System Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1497.001 is_subtechnique: true technique: System Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1497.001 is_subtechnique: true technique: System Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1497.001 is_subtechnique: true technique: System Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1497.001 is_subtechnique: true technique: System Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1497.001 is_subtechnique: true technique: System Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1497.001 is_subtechnique: true technique: System Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1497.001 is_subtechnique: true technique: System Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1497.001 is_subtechnique: true technique: System Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1497.001 is_subtechnique: true technique: System Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1497.001 is_subtechnique: true technique: System Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1497.001 is_subtechnique: true technique: System Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1497.001 is_subtechnique: true technique: System Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1497.001 is_subtechnique: true technique: System Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1497.001 is_subtechnique: true technique: System Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1497.001 is_subtechnique: true technique: System Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1497.001 is_subtechnique: true technique: System Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1497.001 is_subtechnique: true technique: System Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1497.001 is_subtechnique: true technique: System Checks tactic: - defense-evasion - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1498.002 is_subtechnique: true technique: Reflection Amplification tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1498.002 is_subtechnique: true technique: Reflection Amplification tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1100' event_name: The event logging service has shut down. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1498.002 is_subtechnique: true technique: Reflection Amplification tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1101' event_name: Audit events have been dropped by the transport. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1498.002 is_subtechnique: true technique: Reflection Amplification tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1102' event_name: The audit log was cleared. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1498.002 is_subtechnique: true technique: Reflection Amplification tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1104' event_name: The security Log is now full. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1498.002 is_subtechnique: true technique: Reflection Amplification tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1498.002 is_subtechnique: true technique: Reflection Amplification tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1498.002 is_subtechnique: true technique: Reflection Amplification tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4616' event_name: The system time was changed. event_platform: windows audit_category: System audit_sub_category: Security State Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1498.001 is_subtechnique: true technique: Direct Network Flood tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1498.001 is_subtechnique: true technique: Direct Network Flood tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1100' event_name: The event logging service has shut down. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1498.001 is_subtechnique: true technique: Direct Network Flood tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1101' event_name: Audit events have been dropped by the transport. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1498.001 is_subtechnique: true technique: Direct Network Flood tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1102' event_name: The audit log was cleared. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1498.001 is_subtechnique: true technique: Direct Network Flood tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1104' event_name: The security Log is now full. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1498.001 is_subtechnique: true technique: Direct Network Flood tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1498.001 is_subtechnique: true technique: Direct Network Flood tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1498.001 is_subtechnique: true technique: Direct Network Flood tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4616' event_name: The system time was changed. event_platform: windows audit_category: System audit_sub_category: Security State Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1566.001 is_subtechnique: true technique: Spearphishing Attachment tactic: - initial-access platform: - macOS - Windows - Linux data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1566.001 is_subtechnique: true technique: Spearphishing Attachment tactic: - initial-access platform: - macOS - Windows - Linux data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1566.001 is_subtechnique: true technique: Spearphishing Attachment tactic: - initial-access platform: - macOS - Windows - Linux data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1566.001 is_subtechnique: true technique: Spearphishing Attachment tactic: - initial-access platform: - macOS - Windows - Linux data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1566.001 is_subtechnique: true technique: Spearphishing Attachment tactic: - initial-access platform: - macOS - Windows - Linux data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1566.001 is_subtechnique: true technique: Spearphishing Attachment tactic: - initial-access platform: - macOS - Windows - Linux data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1566.001 is_subtechnique: true technique: Spearphishing Attachment tactic: - initial-access platform: - macOS - Windows - Linux data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1566 is_subtechnique: .nan technique: Phishing tactic: - initial-access platform: - Linux - macOS - Windows - SaaS - Office 365 - Google Workspace data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1566 is_subtechnique: .nan technique: Phishing tactic: - initial-access platform: - Linux - macOS - Windows - SaaS - Office 365 - Google Workspace data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1566 is_subtechnique: .nan technique: Phishing tactic: - initial-access platform: - Linux - macOS - Windows - SaaS - Office 365 - Google Workspace data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1566 is_subtechnique: .nan technique: Phishing tactic: - initial-access platform: - Linux - macOS - Windows - SaaS - Office 365 - Google Workspace data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1566 is_subtechnique: .nan technique: Phishing tactic: - initial-access platform: - Linux - macOS - Windows - SaaS - Office 365 - Google Workspace data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1566 is_subtechnique: .nan technique: Phishing tactic: - initial-access platform: - Linux - macOS - Windows - SaaS - Office 365 - Google Workspace data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1566 is_subtechnique: .nan technique: Phishing tactic: - initial-access platform: - Linux - macOS - Windows - SaaS - Office 365 - Google Workspace data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: windows audit_category: FileDelete audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: linux audit_category: FileDelete audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '26' event_name: File Delete logged. event_platform: windows audit_category: FileDeleteDetected audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileDeleted - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: windows audit_category: FileDelete audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: linux audit_category: FileDelete audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '26' event_name: File Delete logged. event_platform: windows audit_category: FileDeleteDetected audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileDeleted - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1565.003 is_subtechnique: true technique: Runtime Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1565.002 is_subtechnique: true technique: Transmitted Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1565.002 is_subtechnique: true technique: Transmitted Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: windows audit_category: FileDelete audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: linux audit_category: FileDelete audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '26' event_name: File Delete logged. event_platform: windows audit_category: FileDeleteDetected audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileDeleted - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: windows audit_category: FileDelete audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: linux audit_category: FileDelete audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '26' event_name: File Delete logged. event_platform: windows audit_category: FileDeleteDetected audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileDeleted - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1565.001 is_subtechnique: true technique: Stored Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: windows audit_category: FileDelete audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: linux audit_category: FileDelete audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '26' event_name: File Delete logged. event_platform: windows audit_category: FileDeleteDetected audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileDeleted - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: windows audit_category: FileDelete audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: linux audit_category: FileDelete audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '26' event_name: File Delete logged. event_platform: windows audit_category: FileDeleteDetected audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileDeleted - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1565 is_subtechnique: false technique: Data Manipulation tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1564.001 is_subtechnique: true technique: Hidden Files and Directories tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: user account data_component: user account creation relationship_id: REL-2022-0002 name: User created User source: user relationship: created target: user event_id: '4720' event_name: A user account was created. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: user account data_component: user account creation relationship_id: REL-2022-0002 name: User created User source: user relationship: created target: user event_id: '4741' event_name: A computer account was created. event_platform: windows audit_category: Account Management audit_sub_category: Computer Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: user account data_component: user account creation relationship_id: REL-2022-0002 name: User created User source: user relationship: created target: user event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: UserAccountCreated - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: '4697' event_name: A service was installed in the system. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: '7045' event_name: A new service was installed in the system. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: Service Control Manager filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ServiceInstalled - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1564 is_subtechnique: .nan technique: Hide Artifacts tactic: - defense-evasion platform: - Linux - macOS - Windows - Office 365 data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1563.002 is_subtechnique: true technique: RDP Hijacking tactic: - lateral-movement platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1563.001 is_subtechnique: true technique: SSH Hijacking tactic: - lateral-movement platform: - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1563.001 is_subtechnique: true technique: SSH Hijacking tactic: - lateral-movement platform: - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1563.001 is_subtechnique: true technique: SSH Hijacking tactic: - lateral-movement platform: - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1563 is_subtechnique: .nan technique: Remote Service Session Hijacking tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: firewall data_component: firewall metadata relationship_id: REL-2022-0049 name: Firewall enabled source: firewall relationship: enabled target: null event_id: '5024' event_name: The Windows Firewall Service has started successfully. event_platform: windows audit_category: System audit_sub_category: Other System Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: firewall data_component: firewall metadata relationship_id: REL-2022-0127 name: Firewall attempted to load Configuration source: firewall relationship: attempted to load target: configuration event_id: '2009' event_name: The Windows Firewall service failed to load Group Policy. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log_source: Microsoft-Windows-Windows Firewall With Advanced Security filter_in: .nan - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: firewall data_component: firewall metadata relationship_id: REL-2022-0152 name: User modified Firewall source: user relationship: modified target: firewall event_id: '2002' event_name: A Windows Defender Firewall setting has changed. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log_source: Microsoft-Windows-Windows Firewall With Advanced Security filter_in: .nan - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: firewall data_component: firewall metadata relationship_id: REL-2022-0152 name: User modified Firewall source: user relationship: modified target: firewall event_id: '2003' event_name: A Windows Defender Firewall setting in the Private profile has changed. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log_source: Microsoft-Windows-Windows Firewall With Advanced Security filter_in: .nan - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: firewall data_component: firewall metadata relationship_id: REL-2022-0180 name: Process modified Firewall source: process relationship: modified target: firewall event_id: '2002' event_name: A Windows Defender Firewall setting has changed. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log_source: Microsoft-Windows-Windows Firewall With Advanced Security filter_in: .nan - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: firewall data_component: firewall metadata relationship_id: REL-2022-0180 name: Process modified Firewall source: process relationship: modified target: firewall event_id: '2003' event_name: A Windows Defender Firewall setting in the Private profile has changed. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log_source: Microsoft-Windows-Windows Firewall With Advanced Security filter_in: .nan - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1518.001 is_subtechnique: true technique: Security Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1069.002 is_subtechnique: true technique: Domain Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1069.002 is_subtechnique: true technique: Domain Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1069.002 is_subtechnique: true technique: Domain Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1069.002 is_subtechnique: true technique: Domain Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1069.002 is_subtechnique: true technique: Domain Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1069.002 is_subtechnique: true technique: Domain Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1069.002 is_subtechnique: true technique: Domain Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1069.002 is_subtechnique: true technique: Domain Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1069.002 is_subtechnique: true technique: Domain Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1069.002 is_subtechnique: true technique: Domain Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1069.002 is_subtechnique: true technique: Domain Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1069.002 is_subtechnique: true technique: Domain Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1069.002 is_subtechnique: true technique: Domain Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1069.002 is_subtechnique: true technique: Domain Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1069.002 is_subtechnique: true technique: Domain Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1069.002 is_subtechnique: true technique: Domain Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1069.002 is_subtechnique: true technique: Domain Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1069.002 is_subtechnique: true technique: Domain Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1069.002 is_subtechnique: true technique: Domain Groups tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1087.003 is_subtechnique: true technique: Email Account tactic: - discovery platform: - Windows - Office 365 - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1087.003 is_subtechnique: true technique: Email Account tactic: - discovery platform: - Windows - Office 365 - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1087.003 is_subtechnique: true technique: Email Account tactic: - discovery platform: - Windows - Office 365 - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1087.003 is_subtechnique: true technique: Email Account tactic: - discovery platform: - Windows - Office 365 - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1087.003 is_subtechnique: true technique: Email Account tactic: - discovery platform: - Windows - Office 365 - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1087.003 is_subtechnique: true technique: Email Account tactic: - discovery platform: - Windows - Office 365 - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1087.003 is_subtechnique: true technique: Email Account tactic: - discovery platform: - Windows - Office 365 - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1087.003 is_subtechnique: true technique: Email Account tactic: - discovery platform: - Windows - Office 365 - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1087.003 is_subtechnique: true technique: Email Account tactic: - discovery platform: - Windows - Office 365 - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1087.003 is_subtechnique: true technique: Email Account tactic: - discovery platform: - Windows - Office 365 - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1087.003 is_subtechnique: true technique: Email Account tactic: - discovery platform: - Windows - Office 365 - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1087.003 is_subtechnique: true technique: Email Account tactic: - discovery platform: - Windows - Office 365 - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1087.003 is_subtechnique: true technique: Email Account tactic: - discovery platform: - Windows - Office 365 - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1087.003 is_subtechnique: true technique: Email Account tactic: - discovery platform: - Windows - Office 365 - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1087.003 is_subtechnique: true technique: Email Account tactic: - discovery platform: - Windows - Office 365 - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1087.003 is_subtechnique: true technique: Email Account tactic: - discovery platform: - Windows - Office 365 - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1087.002 is_subtechnique: true technique: Domain Account tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1087.002 is_subtechnique: true technique: Domain Account tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1087.002 is_subtechnique: true technique: Domain Account tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1087.002 is_subtechnique: true technique: Domain Account tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1087.002 is_subtechnique: true technique: Domain Account tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1087.002 is_subtechnique: true technique: Domain Account tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1087.002 is_subtechnique: true technique: Domain Account tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1087.002 is_subtechnique: true technique: Domain Account tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1087.002 is_subtechnique: true technique: Domain Account tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1087.002 is_subtechnique: true technique: Domain Account tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1087.002 is_subtechnique: true technique: Domain Account tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1087.002 is_subtechnique: true technique: Domain Account tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1087.002 is_subtechnique: true technique: Domain Account tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1087.002 is_subtechnique: true technique: Domain Account tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1087.002 is_subtechnique: true technique: Domain Account tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1087.002 is_subtechnique: true technique: Domain Account tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1087.002 is_subtechnique: true technique: Domain Account tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1087.002 is_subtechnique: true technique: Domain Account tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1087.002 is_subtechnique: true technique: Domain Account tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1087.002 is_subtechnique: true technique: Domain Account tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1087.002 is_subtechnique: true technique: Domain Account tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1087.001 is_subtechnique: true technique: Local Account tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: New registry value created - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1553.004 is_subtechnique: true technique: Install Root Certificate tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: firewall data_component: firewall rule modification relationship_id: REL-2022-0025 name: Firewall Rule added source: firewall rule relationship: modified target: null event_id: '4947' event_name: A change has been made to Windows Firewall exception list. A rule was modified. event_platform: windows audit_category: Policy Change audit_sub_category: MPSSVC Rule-Level Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: firewall data_component: firewall rule modification relationship_id: REL-2022-0038 name: Process removed Firewall rule source: process relationship: removed target: firewall rule event_id: '2006' event_name: A rule has been deleted in the Windows Defender Firewall exception list event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log_source: Microsoft-Windows-Windows Firewall With Advanced Security filter_in: .nan - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: firewall data_component: firewall rule modification relationship_id: REL-2022-0072 name: Firewall Rule added source: firewall rule relationship: removed target: null event_id: '4948' event_name: A change has been made to Windows Firewall exception list. A rule was deleted. event_platform: windows audit_category: Policy Change audit_sub_category: MPSSVC Rule-Level Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: firewall data_component: firewall rule modification relationship_id: REL-2022-0081 name: Firewall Rule added source: firewall rule relationship: added target: null event_id: '4946' event_name: A change has been made to Windows Firewall exception list. A rule was added. event_platform: windows audit_category: Policy Change audit_sub_category: MPSSVC Rule-Level Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: firewall data_component: firewall rule modification relationship_id: REL-2022-0088 name: Process added Firewall rule source: process relationship: added target: firewall rule event_id: '2004' event_name: A rule has been added to the Windows Defender Firewall exception list event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log_source: Microsoft-Windows-Windows Firewall With Advanced Security filter_in: .nan - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: firewall data_component: firewall rule modification relationship_id: REL-2022-0095 name: Process modified Firewall rule source: process relationship: modified target: firewall rule event_id: '2005' event_name: A rule has been modified in the Windows Defender Firewall exception list. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log_source: Microsoft-Windows-Windows Firewall With Advanced Security filter_in: .nan - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: firewall data_component: firewall rule modification relationship_id: REL-2022-0118 name: User removed Firewall rule source: user relationship: removed target: firewall rule event_id: '2006' event_name: A rule has been deleted in the Windows Defender Firewall exception list event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log_source: Microsoft-Windows-Windows Firewall With Advanced Security filter_in: .nan - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: firewall data_component: firewall rule modification relationship_id: REL-2022-0118 name: User removed Firewall rule source: user relationship: removed target: firewall rule event_id: '2033' event_name: All rules have been deleted from the Windows Firewall configuration on this computer. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log_source: Microsoft-Windows-Windows Firewall With Advanced Security filter_in: .nan - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: firewall data_component: firewall rule modification relationship_id: REL-2022-0168 name: User added Firewall rule source: user relationship: added target: firewall rule event_id: '2004' event_name: A rule has been added to the Windows Defender Firewall exception list event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log_source: Microsoft-Windows-Windows Firewall With Advanced Security filter_in: .nan - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: firewall data_component: firewall rule modification relationship_id: REL-2022-0179 name: User modified Firewall rule source: user relationship: modified target: firewall rule event_id: '2005' event_name: A rule has been modified in the Windows Defender Firewall exception list. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log_source: Microsoft-Windows-Windows Firewall With Advanced Security filter_in: .nan - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: firewall data_component: firewall disable relationship_id: REL-2022-0035 name: Firewall disabled source: firewall relationship: disabled target: null event_id: '5025' event_name: The Windows Firewall Service has been stopped. event_platform: windows audit_category: System audit_sub_category: Other System Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: firewall data_component: firewall disable relationship_id: REL-2022-0035 name: Firewall disabled source: firewall relationship: disabled target: null event_id: '5034' event_name: The Windows Firewall Driver was stopped. event_platform: windows audit_category: System audit_sub_category: Other System Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1562.004 is_subtechnique: true technique: Disable or Modify System Firewall tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1562.003 is_subtechnique: true technique: Impair Command History Logging tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.003 is_subtechnique: true technique: Impair Command History Logging tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1100' event_name: The event logging service has shut down. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1562.003 is_subtechnique: true technique: Impair Command History Logging tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1101' event_name: Audit events have been dropped by the transport. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1562.003 is_subtechnique: true technique: Impair Command History Logging tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1102' event_name: The audit log was cleared. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1562.003 is_subtechnique: true technique: Impair Command History Logging tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1104' event_name: The security Log is now full. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1562.003 is_subtechnique: true technique: Impair Command History Logging tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1562.003 is_subtechnique: true technique: Impair Command History Logging tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1562.003 is_subtechnique: true technique: Impair Command History Logging tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4616' event_name: The system time was changed. event_platform: windows audit_category: System audit_sub_category: Security State Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.003 is_subtechnique: true technique: Impair Command History Logging tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.003 is_subtechnique: true technique: Impair Command History Logging tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.003 is_subtechnique: true technique: Impair Command History Logging tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1562.003 is_subtechnique: true technique: Impair Command History Logging tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1562.003 is_subtechnique: true technique: Impair Command History Logging tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.003 is_subtechnique: true technique: Impair Command History Logging tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.003 is_subtechnique: true technique: Impair Command History Logging tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1562.003 is_subtechnique: true technique: Impair Command History Logging tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1562.003 is_subtechnique: true technique: Impair Command History Logging tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1100' event_name: The event logging service has shut down. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1101' event_name: Audit events have been dropped by the transport. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1102' event_name: The audit log was cleared. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1104' event_name: The security Log is now full. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4616' event_name: The system time was changed. event_platform: windows audit_category: System audit_sub_category: Security State Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1562.002 is_subtechnique: true technique: Disable Windows Event Logging tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: New registry value created - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0102 name: Process deleted Registry source: process relationship: deleted target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0102 name: Process deleted Registry source: process relationship: deleted target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueDeleted - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0102 name: Process deleted Registry source: process relationship: deleted target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyDeleted - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0102 name: Process deleted Registry source: process relationship: deleted target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ActionType: Registry value deleted - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0102 name: Process deleted Registry source: process relationship: deleted target: registry event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0130 name: User deleted Registry source: user relationship: deleted target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0130 name: User deleted Registry source: user relationship: deleted target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueDeleted - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0130 name: User deleted Registry source: user relationship: deleted target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyDeleted - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0130 name: User deleted Registry source: user relationship: deleted target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Registry value deleted - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0130 name: User deleted Registry source: user relationship: deleted target: registry event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: service data_component: service metadata relationship_id: REL-2022-0094 name: Service stopped source: service relationship: stopped target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: service data_component: service metadata relationship_id: REL-2022-0094 name: Service stopped source: service relationship: stopped target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: service data_component: service metadata relationship_id: REL-2022-0184 name: Service started source: service relationship: started target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: service data_component: service metadata relationship_id: REL-2022-0184 name: Service started source: service relationship: started target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: process data_component: process termination relationship_id: REL-2022-0004 name: User terminated Process source: user relationship: terminated target: process event_id: '4689' event_name: A process has exited. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Termination channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: process data_component: process termination relationship_id: REL-2022-0004 name: User terminated Process source: user relationship: terminated target: process event_id: '5' event_name: Process terminated. event_platform: windows audit_category: ProcessTerminate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: process data_component: process termination relationship_id: REL-2022-0004 name: User terminated Process source: user relationship: terminated target: process event_id: '5' event_name: Process terminated. event_platform: linux audit_category: ProcessTerminate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1100' event_name: The event logging service has shut down. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1101' event_name: Audit events have been dropped by the transport. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1102' event_name: The audit log was cleared. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1104' event_name: The security Log is now full. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1562.001 is_subtechnique: true technique: Disable or Modify Tools tactic: - defense-evasion platform: - Windows - macOS - Linux - Containers - IaaS data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4616' event_name: The system time was changed. event_platform: windows audit_category: System audit_sub_category: Security State Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0102 name: Process deleted Registry source: process relationship: deleted target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0102 name: Process deleted Registry source: process relationship: deleted target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueDeleted - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0102 name: Process deleted Registry source: process relationship: deleted target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyDeleted - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0102 name: Process deleted Registry source: process relationship: deleted target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ActionType: Registry value deleted - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0102 name: Process deleted Registry source: process relationship: deleted target: registry event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0130 name: User deleted Registry source: user relationship: deleted target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0130 name: User deleted Registry source: user relationship: deleted target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueDeleted - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0130 name: User deleted Registry source: user relationship: deleted target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyDeleted - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0130 name: User deleted Registry source: user relationship: deleted target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Registry value deleted - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0130 name: User deleted Registry source: user relationship: deleted target: registry event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: firewall data_component: firewall rule modification relationship_id: REL-2022-0025 name: Firewall Rule added source: firewall rule relationship: modified target: null event_id: '4947' event_name: A change has been made to Windows Firewall exception list. A rule was modified. event_platform: windows audit_category: Policy Change audit_sub_category: MPSSVC Rule-Level Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: firewall data_component: firewall rule modification relationship_id: REL-2022-0038 name: Process removed Firewall rule source: process relationship: removed target: firewall rule event_id: '2006' event_name: A rule has been deleted in the Windows Defender Firewall exception list event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log_source: Microsoft-Windows-Windows Firewall With Advanced Security filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: firewall data_component: firewall rule modification relationship_id: REL-2022-0072 name: Firewall Rule added source: firewall rule relationship: removed target: null event_id: '4948' event_name: A change has been made to Windows Firewall exception list. A rule was deleted. event_platform: windows audit_category: Policy Change audit_sub_category: MPSSVC Rule-Level Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: firewall data_component: firewall rule modification relationship_id: REL-2022-0081 name: Firewall Rule added source: firewall rule relationship: added target: null event_id: '4946' event_name: A change has been made to Windows Firewall exception list. A rule was added. event_platform: windows audit_category: Policy Change audit_sub_category: MPSSVC Rule-Level Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: firewall data_component: firewall rule modification relationship_id: REL-2022-0088 name: Process added Firewall rule source: process relationship: added target: firewall rule event_id: '2004' event_name: A rule has been added to the Windows Defender Firewall exception list event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log_source: Microsoft-Windows-Windows Firewall With Advanced Security filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: firewall data_component: firewall rule modification relationship_id: REL-2022-0095 name: Process modified Firewall rule source: process relationship: modified target: firewall rule event_id: '2005' event_name: A rule has been modified in the Windows Defender Firewall exception list. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log_source: Microsoft-Windows-Windows Firewall With Advanced Security filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: firewall data_component: firewall rule modification relationship_id: REL-2022-0118 name: User removed Firewall rule source: user relationship: removed target: firewall rule event_id: '2006' event_name: A rule has been deleted in the Windows Defender Firewall exception list event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log_source: Microsoft-Windows-Windows Firewall With Advanced Security filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: firewall data_component: firewall rule modification relationship_id: REL-2022-0118 name: User removed Firewall rule source: user relationship: removed target: firewall rule event_id: '2033' event_name: All rules have been deleted from the Windows Firewall configuration on this computer. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log_source: Microsoft-Windows-Windows Firewall With Advanced Security filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: firewall data_component: firewall rule modification relationship_id: REL-2022-0168 name: User added Firewall rule source: user relationship: added target: firewall rule event_id: '2004' event_name: A rule has been added to the Windows Defender Firewall exception list event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log_source: Microsoft-Windows-Windows Firewall With Advanced Security filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: firewall data_component: firewall rule modification relationship_id: REL-2022-0179 name: User modified Firewall rule source: user relationship: modified target: firewall rule event_id: '2005' event_name: A rule has been modified in the Windows Defender Firewall exception list. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log_source: Microsoft-Windows-Windows Firewall With Advanced Security filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: firewall data_component: firewall disable relationship_id: REL-2022-0035 name: Firewall disabled source: firewall relationship: disabled target: null event_id: '5025' event_name: The Windows Firewall Service has been stopped. event_platform: windows audit_category: System audit_sub_category: Other System Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: firewall data_component: firewall disable relationship_id: REL-2022-0035 name: Firewall disabled source: firewall relationship: disabled target: null event_id: '5034' event_name: The Windows Firewall Driver was stopped. event_platform: windows audit_category: System audit_sub_category: Other System Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: process data_component: process termination relationship_id: REL-2022-0004 name: User terminated Process source: user relationship: terminated target: process event_id: '4689' event_name: A process has exited. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Termination channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: process data_component: process termination relationship_id: REL-2022-0004 name: User terminated Process source: user relationship: terminated target: process event_id: '5' event_name: Process terminated. event_platform: windows audit_category: ProcessTerminate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: process data_component: process termination relationship_id: REL-2022-0004 name: User terminated Process source: user relationship: terminated target: process event_id: '5' event_name: Process terminated. event_platform: linux audit_category: ProcessTerminate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: service data_component: service metadata relationship_id: REL-2022-0094 name: Service stopped source: service relationship: stopped target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: service data_component: service metadata relationship_id: REL-2022-0094 name: Service stopped source: service relationship: stopped target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: service data_component: service metadata relationship_id: REL-2022-0184 name: Service started source: service relationship: started target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: service data_component: service metadata relationship_id: REL-2022-0184 name: Service started source: service relationship: started target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1100' event_name: The event logging service has shut down. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1101' event_name: Audit events have been dropped by the transport. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1102' event_name: The audit log was cleared. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1104' event_name: The security Log is now full. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4616' event_name: The system time was changed. event_platform: windows audit_category: System audit_sub_category: Security State Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1562 is_subtechnique: .nan technique: Impair Defenses tactic: - defense-evasion platform: - Windows - Office 365 - IaaS - Linux - macOS - Containers - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1003.004 is_subtechnique: true technique: LSA Secrets tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1003.004 is_subtechnique: true technique: LSA Secrets tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1003.004 is_subtechnique: true technique: LSA Secrets tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1003.004 is_subtechnique: true technique: LSA Secrets tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1003.004 is_subtechnique: true technique: LSA Secrets tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1003.004 is_subtechnique: true technique: LSA Secrets tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1003.004 is_subtechnique: true technique: LSA Secrets tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1003.004 is_subtechnique: true technique: LSA Secrets tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1003.004 is_subtechnique: true technique: LSA Secrets tactic: - credential-access platform: - Windows data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0048 name: Process accessed Registry source: process relationship: accessed target: registry event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1003.004 is_subtechnique: true technique: LSA Secrets tactic: - credential-access platform: - Windows data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0077 name: User accessed Registry source: user relationship: accessed target: registry event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1003.004 is_subtechnique: true technique: LSA Secrets tactic: - credential-access platform: - Windows data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0070 name: Process requested access to Registry source: process relationship: requested access to target: registry event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1003.004 is_subtechnique: true technique: LSA Secrets tactic: - credential-access platform: - Windows data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0013 name: User requested access to Registry source: user relationship: requested access to target: registry event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1003.005 is_subtechnique: true technique: Cached Domain Credentials tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1003.005 is_subtechnique: true technique: Cached Domain Credentials tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1003.005 is_subtechnique: true technique: Cached Domain Credentials tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1003.005 is_subtechnique: true technique: Cached Domain Credentials tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1003.005 is_subtechnique: true technique: Cached Domain Credentials tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1003.005 is_subtechnique: true technique: Cached Domain Credentials tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1003.005 is_subtechnique: true technique: Cached Domain Credentials tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1003.005 is_subtechnique: true technique: Cached Domain Credentials tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: drive data_component: drive modification relationship_id: REL-2022-0044 name: User enabled Drive source: user relationship: enabled target: drive event_id: '6422' event_name: A device was enabled. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: drive data_component: drive modification relationship_id: REL-2022-0053 name: User attempted to disable Drive source: user relationship: attempted to disable target: drive event_id: '6419' event_name: A request was made to disable a device. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: drive data_component: drive modification relationship_id: REL-2022-0064 name: User disabled Drive source: user relationship: disabled target: drive event_id: '6420' event_name: A device was disabled. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: drive data_component: drive modification relationship_id: REL-2022-0067 name: User attempted to enable Drive source: user relationship: attempted to enable target: drive event_id: '6421' event_name: A request was made to enable a device. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: driver data_component: driver load relationship_id: REL-2022-0126 name: Driver loaded source: driver relationship: loaded target: null event_id: '6' event_name: Driver loaded. event_platform: windows audit_category: DriverLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1561.002 is_subtechnique: true technique: Disk Structure Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: driver data_component: driver load relationship_id: REL-2022-0126 name: Driver loaded source: driver relationship: loaded target: null event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: DriverLoaded - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: driver data_component: driver load relationship_id: REL-2022-0126 name: Driver loaded source: driver relationship: loaded target: null event_id: '6' event_name: Driver loaded. event_platform: windows audit_category: DriverLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: driver data_component: driver load relationship_id: REL-2022-0126 name: Driver loaded source: driver relationship: loaded target: null event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: DriverLoaded - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: drive data_component: drive modification relationship_id: REL-2022-0044 name: User enabled Drive source: user relationship: enabled target: drive event_id: '6422' event_name: A device was enabled. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: drive data_component: drive modification relationship_id: REL-2022-0053 name: User attempted to disable Drive source: user relationship: attempted to disable target: drive event_id: '6419' event_name: A request was made to disable a device. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: drive data_component: drive modification relationship_id: REL-2022-0064 name: User disabled Drive source: user relationship: disabled target: drive event_id: '6420' event_name: A device was disabled. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: drive data_component: drive modification relationship_id: REL-2022-0067 name: User attempted to enable Drive source: user relationship: attempted to enable target: drive event_id: '6421' event_name: A request was made to enable a device. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1561.001 is_subtechnique: true technique: Disk Content Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: drive data_component: drive modification relationship_id: REL-2022-0044 name: User enabled Drive source: user relationship: enabled target: drive event_id: '6422' event_name: A device was enabled. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: drive data_component: drive modification relationship_id: REL-2022-0053 name: User attempted to disable Drive source: user relationship: attempted to disable target: drive event_id: '6419' event_name: A request was made to disable a device. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: drive data_component: drive modification relationship_id: REL-2022-0064 name: User disabled Drive source: user relationship: disabled target: drive event_id: '6420' event_name: A device was disabled. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: drive data_component: drive modification relationship_id: REL-2022-0067 name: User attempted to enable Drive source: user relationship: attempted to enable target: drive event_id: '6421' event_name: A request was made to enable a device. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: driver data_component: driver load relationship_id: REL-2022-0126 name: Driver loaded source: driver relationship: loaded target: null event_id: '6' event_name: Driver loaded. event_platform: windows audit_category: DriverLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: driver data_component: driver load relationship_id: REL-2022-0126 name: Driver loaded source: driver relationship: loaded target: null event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: DriverLoaded - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1561 is_subtechnique: .nan technique: Disk Wipe tactic: - impact platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1560.003 is_subtechnique: true technique: Archive via Custom Method tactic: - collection platform: - Linux - macOS - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1560.003 is_subtechnique: true technique: Archive via Custom Method tactic: - collection platform: - Linux - macOS - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1560.003 is_subtechnique: true technique: Archive via Custom Method tactic: - collection platform: - Linux - macOS - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1560.003 is_subtechnique: true technique: Archive via Custom Method tactic: - collection platform: - Linux - macOS - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1560.003 is_subtechnique: true technique: Archive via Custom Method tactic: - collection platform: - Linux - macOS - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1560.003 is_subtechnique: true technique: Archive via Custom Method tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1560.003 is_subtechnique: true technique: Archive via Custom Method tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1560.003 is_subtechnique: true technique: Archive via Custom Method tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1560.003 is_subtechnique: true technique: Archive via Custom Method tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1560.003 is_subtechnique: true technique: Archive via Custom Method tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1560.003 is_subtechnique: true technique: Archive via Custom Method tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1560.003 is_subtechnique: true technique: Archive via Custom Method tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1560.002 is_subtechnique: true technique: Archive via Library tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1560.002 is_subtechnique: true technique: Archive via Library tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1560.002 is_subtechnique: true technique: Archive via Library tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1560.002 is_subtechnique: true technique: Archive via Library tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1560.002 is_subtechnique: true technique: Archive via Library tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1560.002 is_subtechnique: true technique: Archive via Library tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1560.002 is_subtechnique: true technique: Archive via Library tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1560.002 is_subtechnique: true technique: Archive via Library tactic: - collection platform: - Linux - macOS - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1560.002 is_subtechnique: true technique: Archive via Library tactic: - collection platform: - Linux - macOS - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1560.002 is_subtechnique: true technique: Archive via Library tactic: - collection platform: - Linux - macOS - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1560.002 is_subtechnique: true technique: Archive via Library tactic: - collection platform: - Linux - macOS - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1560.002 is_subtechnique: true technique: Archive via Library tactic: - collection platform: - Linux - macOS - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1560.001 is_subtechnique: true technique: Archive via Utility tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1560 is_subtechnique: .nan technique: Archive Collected Data tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1499.004 is_subtechnique: true technique: Application or System Exploitation tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1499.004 is_subtechnique: true technique: Application or System Exploitation tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1100' event_name: The event logging service has shut down. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1499.004 is_subtechnique: true technique: Application or System Exploitation tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1101' event_name: Audit events have been dropped by the transport. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1499.004 is_subtechnique: true technique: Application or System Exploitation tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1102' event_name: The audit log was cleared. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1499.004 is_subtechnique: true technique: Application or System Exploitation tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1104' event_name: The security Log is now full. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1499.004 is_subtechnique: true technique: Application or System Exploitation tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1499.004 is_subtechnique: true technique: Application or System Exploitation tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1499.004 is_subtechnique: true technique: Application or System Exploitation tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4616' event_name: The system time was changed. event_platform: windows audit_category: System audit_sub_category: Security State Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1499.003 is_subtechnique: true technique: Application Exhaustion Flood tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1499.003 is_subtechnique: true technique: Application Exhaustion Flood tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1100' event_name: The event logging service has shut down. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1499.003 is_subtechnique: true technique: Application Exhaustion Flood tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1101' event_name: Audit events have been dropped by the transport. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1499.003 is_subtechnique: true technique: Application Exhaustion Flood tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1102' event_name: The audit log was cleared. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1499.003 is_subtechnique: true technique: Application Exhaustion Flood tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1104' event_name: The security Log is now full. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1499.003 is_subtechnique: true technique: Application Exhaustion Flood tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1499.003 is_subtechnique: true technique: Application Exhaustion Flood tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1499.003 is_subtechnique: true technique: Application Exhaustion Flood tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4616' event_name: The system time was changed. event_platform: windows audit_category: System audit_sub_category: Security State Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1499.002 is_subtechnique: true technique: Service Exhaustion Flood tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1499.002 is_subtechnique: true technique: Service Exhaustion Flood tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1100' event_name: The event logging service has shut down. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1499.002 is_subtechnique: true technique: Service Exhaustion Flood tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1101' event_name: Audit events have been dropped by the transport. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1499.002 is_subtechnique: true technique: Service Exhaustion Flood tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1102' event_name: The audit log was cleared. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1499.002 is_subtechnique: true technique: Service Exhaustion Flood tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1104' event_name: The security Log is now full. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1499.002 is_subtechnique: true technique: Service Exhaustion Flood tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1499.002 is_subtechnique: true technique: Service Exhaustion Flood tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1499.002 is_subtechnique: true technique: Service Exhaustion Flood tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4616' event_name: The system time was changed. event_platform: windows audit_category: System audit_sub_category: Security State Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1499.001 is_subtechnique: true technique: OS Exhaustion Flood tactic: - impact platform: - Linux - macOS - Windows data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1499.001 is_subtechnique: true technique: OS Exhaustion Flood tactic: - impact platform: - Linux - macOS - Windows data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1100' event_name: The event logging service has shut down. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1499.001 is_subtechnique: true technique: OS Exhaustion Flood tactic: - impact platform: - Linux - macOS - Windows data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1101' event_name: Audit events have been dropped by the transport. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1499.001 is_subtechnique: true technique: OS Exhaustion Flood tactic: - impact platform: - Linux - macOS - Windows data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1102' event_name: The audit log was cleared. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1499.001 is_subtechnique: true technique: OS Exhaustion Flood tactic: - impact platform: - Linux - macOS - Windows data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1104' event_name: The security Log is now full. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1499.001 is_subtechnique: true technique: OS Exhaustion Flood tactic: - impact platform: - Linux - macOS - Windows data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1499.001 is_subtechnique: true technique: OS Exhaustion Flood tactic: - impact platform: - Linux - macOS - Windows data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1499.001 is_subtechnique: true technique: OS Exhaustion Flood tactic: - impact platform: - Linux - macOS - Windows data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4616' event_name: The system time was changed. event_platform: windows audit_category: System audit_sub_category: Security State Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1491.002 is_subtechnique: true technique: External Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1491.002 is_subtechnique: true technique: External Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1491.002 is_subtechnique: true technique: External Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1491.002 is_subtechnique: true technique: External Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1491.002 is_subtechnique: true technique: External Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1491.002 is_subtechnique: true technique: External Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1491.002 is_subtechnique: true technique: External Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1491.002 is_subtechnique: true technique: External Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1491.002 is_subtechnique: true technique: External Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1491.002 is_subtechnique: true technique: External Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1491.002 is_subtechnique: true technique: External Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1491.002 is_subtechnique: true technique: External Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1491.002 is_subtechnique: true technique: External Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1491.002 is_subtechnique: true technique: External Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1491.001 is_subtechnique: true technique: Internal Defacement tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1491.001 is_subtechnique: true technique: Internal Defacement tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1491.001 is_subtechnique: true technique: Internal Defacement tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1491.001 is_subtechnique: true technique: Internal Defacement tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1491.001 is_subtechnique: true technique: Internal Defacement tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1491.001 is_subtechnique: true technique: Internal Defacement tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1491.001 is_subtechnique: true technique: Internal Defacement tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1491.001 is_subtechnique: true technique: Internal Defacement tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1491.001 is_subtechnique: true technique: Internal Defacement tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1491.001 is_subtechnique: true technique: Internal Defacement tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1491.001 is_subtechnique: true technique: Internal Defacement tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1491.001 is_subtechnique: true technique: Internal Defacement tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1491.001 is_subtechnique: true technique: Internal Defacement tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1491.001 is_subtechnique: true technique: Internal Defacement tactic: - impact platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.002 is_subtechnique: true technique: Remote Email Collection tactic: - collection platform: - Office 365 - Windows - Google Workspace data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1114.001 is_subtechnique: true technique: Local Email Collection tactic: - collection platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.001 is_subtechnique: true technique: Local Email Collection tactic: - collection platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114.001 is_subtechnique: true technique: Local Email Collection tactic: - collection platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1114.001 is_subtechnique: true technique: Local Email Collection tactic: - collection platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1114.001 is_subtechnique: true technique: Local Email Collection tactic: - collection platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114.001 is_subtechnique: true technique: Local Email Collection tactic: - collection platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114.001 is_subtechnique: true technique: Local Email Collection tactic: - collection platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1114.001 is_subtechnique: true technique: Local Email Collection tactic: - collection platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1114.001 is_subtechnique: true technique: Local Email Collection tactic: - collection platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1114.001 is_subtechnique: true technique: Local Email Collection tactic: - collection platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1114.001 is_subtechnique: true technique: Local Email Collection tactic: - collection platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1114.001 is_subtechnique: true technique: Local Email Collection tactic: - collection platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1114.001 is_subtechnique: true technique: Local Email Collection tactic: - collection platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1134.005 is_subtechnique: true technique: SID-History Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5136' event_name: A directory service object was modified. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1134.005 is_subtechnique: true technique: SID-History Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5139' event_name: A directory service object was moved. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1134.005 is_subtechnique: true technique: SID-History Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '4719' event_name: System audit policy was changed. event_platform: windows audit_category: Policy Change audit_sub_category: Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1134.005 is_subtechnique: true technique: SID-History Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1134.005 is_subtechnique: true technique: SID-History Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1134.004 is_subtechnique: true technique: Parent PID Spoofing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1134.004 is_subtechnique: true technique: Parent PID Spoofing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1134.004 is_subtechnique: true technique: Parent PID Spoofing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process metadata relationship_id: REL-2022-0029 name: Process terminated source: process relationship: terminated target: null event_id: '5' event_name: Process terminated. event_platform: windows audit_category: ProcessTerminate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1134.004 is_subtechnique: true technique: Parent PID Spoofing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process metadata relationship_id: REL-2022-0073 name: Process searched LDAP source: process relationship: searched target: ldap event_id: '30' event_name: EventID(30) event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-LDAP-Client/Debug filter_in: .nan - technique_id: T1134.004 is_subtechnique: true technique: Parent PID Spoofing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process metadata relationship_id: REL-2022-0073 name: Process searched LDAP source: process relationship: searched target: ldap event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LdapSearch - technique_id: T1134.004 is_subtechnique: true technique: Parent PID Spoofing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1134.004 is_subtechnique: true technique: Parent PID Spoofing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1134.004 is_subtechnique: true technique: Parent PID Spoofing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1134.004 is_subtechnique: true technique: Parent PID Spoofing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1134.004 is_subtechnique: true technique: Parent PID Spoofing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1134.004 is_subtechnique: true technique: Parent PID Spoofing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1134.004 is_subtechnique: true technique: Parent PID Spoofing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1134.004 is_subtechnique: true technique: Parent PID Spoofing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1134.003 is_subtechnique: true technique: Make and Impersonate Token tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1134.003 is_subtechnique: true technique: Make and Impersonate Token tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1134.003 is_subtechnique: true technique: Make and Impersonate Token tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1134.003 is_subtechnique: true technique: Make and Impersonate Token tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1134.003 is_subtechnique: true technique: Make and Impersonate Token tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1134.003 is_subtechnique: true technique: Make and Impersonate Token tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1134.003 is_subtechnique: true technique: Make and Impersonate Token tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1134.003 is_subtechnique: true technique: Make and Impersonate Token tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1134.003 is_subtechnique: true technique: Make and Impersonate Token tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1134.003 is_subtechnique: true technique: Make and Impersonate Token tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1134.002 is_subtechnique: true technique: Create Process with Token tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1134.002 is_subtechnique: true technique: Create Process with Token tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1134.002 is_subtechnique: true technique: Create Process with Token tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1134.002 is_subtechnique: true technique: Create Process with Token tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1134.002 is_subtechnique: true technique: Create Process with Token tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1134.002 is_subtechnique: true technique: Create Process with Token tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1134.002 is_subtechnique: true technique: Create Process with Token tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1134.002 is_subtechnique: true technique: Create Process with Token tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1134.002 is_subtechnique: true technique: Create Process with Token tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1134.002 is_subtechnique: true technique: Create Process with Token tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1134.001 is_subtechnique: true technique: Token Impersonation/Theft tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1134.001 is_subtechnique: true technique: Token Impersonation/Theft tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1134.001 is_subtechnique: true technique: Token Impersonation/Theft tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1134.001 is_subtechnique: true technique: Token Impersonation/Theft tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1134.001 is_subtechnique: true technique: Token Impersonation/Theft tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1134.001 is_subtechnique: true technique: Token Impersonation/Theft tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1134.001 is_subtechnique: true technique: Token Impersonation/Theft tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1134.001 is_subtechnique: true technique: Token Impersonation/Theft tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1134.001 is_subtechnique: true technique: Token Impersonation/Theft tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1134.001 is_subtechnique: true technique: Token Impersonation/Theft tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1213.002 is_subtechnique: true technique: Sharepoint tactic: - collection platform: - Windows - Office 365 data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1213.002 is_subtechnique: true technique: Sharepoint tactic: - collection platform: - Windows - Office 365 data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1213.002 is_subtechnique: true technique: Sharepoint tactic: - collection platform: - Windows - Office 365 data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1213.002 is_subtechnique: true technique: Sharepoint tactic: - collection platform: - Windows - Office 365 data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1213.002 is_subtechnique: true technique: Sharepoint tactic: - collection platform: - Windows - Office 365 data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1213.002 is_subtechnique: true technique: Sharepoint tactic: - collection platform: - Windows - Office 365 data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1213.002 is_subtechnique: true technique: Sharepoint tactic: - collection platform: - Windows - Office 365 data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1213.002 is_subtechnique: true technique: Sharepoint tactic: - collection platform: - Windows - Office 365 data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1213.002 is_subtechnique: true technique: Sharepoint tactic: - collection platform: - Windows - Office 365 data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1555.003 is_subtechnique: true technique: Credentials from Web Browsers tactic: - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1555.003 is_subtechnique: true technique: Credentials from Web Browsers tactic: - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1555.003 is_subtechnique: true technique: Credentials from Web Browsers tactic: - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1555.003 is_subtechnique: true technique: Credentials from Web Browsers tactic: - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1555.003 is_subtechnique: true technique: Credentials from Web Browsers tactic: - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1555.003 is_subtechnique: true technique: Credentials from Web Browsers tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1555.003 is_subtechnique: true technique: Credentials from Web Browsers tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1555.003 is_subtechnique: true technique: Credentials from Web Browsers tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1555.003 is_subtechnique: true technique: Credentials from Web Browsers tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1555.003 is_subtechnique: true technique: Credentials from Web Browsers tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1555.003 is_subtechnique: true technique: Credentials from Web Browsers tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '10' event_name: Process Access. event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1555.003 is_subtechnique: true technique: Credentials from Web Browsers tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1555.003 is_subtechnique: true technique: Credentials from Web Browsers tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '10' event_name: ProcessAccess event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1555.003 is_subtechnique: true technique: Credentials from Web Browsers tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1555.003 is_subtechnique: true technique: Credentials from Web Browsers tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1555.003 is_subtechnique: true technique: Credentials from Web Browsers tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1555.003 is_subtechnique: true technique: Credentials from Web Browsers tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1555.003 is_subtechnique: true technique: Credentials from Web Browsers tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1555.003 is_subtechnique: true technique: Credentials from Web Browsers tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1555.003 is_subtechnique: true technique: Credentials from Web Browsers tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1555.003 is_subtechnique: true technique: Credentials from Web Browsers tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1555.003 is_subtechnique: true technique: Credentials from Web Browsers tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1555.003 is_subtechnique: true technique: Credentials from Web Browsers tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1555.003 is_subtechnique: true technique: Credentials from Web Browsers tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1555.002 is_subtechnique: true technique: Securityd Memory tactic: - credential-access platform: - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1559.002 is_subtechnique: true technique: Dynamic Data Exchange tactic: - execution platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1559.002 is_subtechnique: true technique: Dynamic Data Exchange tactic: - execution platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1559.002 is_subtechnique: true technique: Dynamic Data Exchange tactic: - execution platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1559.002 is_subtechnique: true technique: Dynamic Data Exchange tactic: - execution platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1559.002 is_subtechnique: true technique: Dynamic Data Exchange tactic: - execution platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1559.002 is_subtechnique: true technique: Dynamic Data Exchange tactic: - execution platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1559.002 is_subtechnique: true technique: Dynamic Data Exchange tactic: - execution platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1559.002 is_subtechnique: true technique: Dynamic Data Exchange tactic: - execution platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1559.002 is_subtechnique: true technique: Dynamic Data Exchange tactic: - execution platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1559.002 is_subtechnique: true technique: Dynamic Data Exchange tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1559.002 is_subtechnique: true technique: Dynamic Data Exchange tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1559.002 is_subtechnique: true technique: Dynamic Data Exchange tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1559.002 is_subtechnique: true technique: Dynamic Data Exchange tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1559.002 is_subtechnique: true technique: Dynamic Data Exchange tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1559.002 is_subtechnique: true technique: Dynamic Data Exchange tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1559.002 is_subtechnique: true technique: Dynamic Data Exchange tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1559.002 is_subtechnique: true technique: Dynamic Data Exchange tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1559.001 is_subtechnique: true technique: Component Object Model tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1559.001 is_subtechnique: true technique: Component Object Model tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1559.001 is_subtechnique: true technique: Component Object Model tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1559.001 is_subtechnique: true technique: Component Object Model tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1559.001 is_subtechnique: true technique: Component Object Model tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1559.001 is_subtechnique: true technique: Component Object Model tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1559.001 is_subtechnique: true technique: Component Object Model tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1559.001 is_subtechnique: true technique: Component Object Model tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1559.001 is_subtechnique: true technique: Component Object Model tactic: - execution platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1559.001 is_subtechnique: true technique: Component Object Model tactic: - execution platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1559.001 is_subtechnique: true technique: Component Object Model tactic: - execution platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1559.001 is_subtechnique: true technique: Component Object Model tactic: - execution platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1559.001 is_subtechnique: true technique: Component Object Model tactic: - execution platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1559.001 is_subtechnique: true technique: Component Object Model tactic: - execution platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1559.001 is_subtechnique: true technique: Component Object Model tactic: - execution platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1559.001 is_subtechnique: true technique: Component Object Model tactic: - execution platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1559.001 is_subtechnique: true technique: Component Object Model tactic: - execution platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '10' event_name: Process Access. event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '10' event_name: ProcessAccess event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1559 is_subtechnique: .nan technique: Inter-Process Communication tactic: - execution platform: - Windows - macOS - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1558.002 is_subtechnique: true technique: Silver Ticket tactic: - credential-access platform: - Windows data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4703' event_name: A token right was adjusted. event_platform: windows audit_category: Policy Change audit_sub_category: Authorization Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558.002 is_subtechnique: true technique: Silver Ticket tactic: - credential-access platform: - Windows data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4673' event_name: A privileged service was called. event_platform: windows audit_category: Privilege Use audit_sub_category: Sensitive Privilege Use channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558.002 is_subtechnique: true technique: Silver Ticket tactic: - credential-access platform: - Windows data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4674' event_name: An operation was attempted on a privileged object. event_platform: windows audit_category: Privilege Use audit_sub_category: Sensitive Privilege Use channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558.002 is_subtechnique: true technique: Silver Ticket tactic: - credential-access platform: - Windows data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4610' event_name: An authentication package has been loaded by the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558.002 is_subtechnique: true technique: Silver Ticket tactic: - credential-access platform: - Windows data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4611' event_name: A trusted logon process has been registered with the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558.002 is_subtechnique: true technique: Silver Ticket tactic: - credential-access platform: - Windows data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4614' event_name: A notification package has been loaded by the Security Account Manager. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558.002 is_subtechnique: true technique: Silver Ticket tactic: - credential-access platform: - Windows data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4622' event_name: A security package has been loaded by the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558.001 is_subtechnique: true technique: Golden Ticket tactic: - credential-access platform: - Windows data_source: active directory data_component: active directory credential request relationship_id: REL-2022-0100 name: User requested AD Credential source: user relationship: requested target: ad credential event_id: '4768' event_name: A Kerberos authentication ticket (TGT) was requested. event_platform: windows audit_category: Account Logon audit_sub_category: Kerberos Authentication Service channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558.001 is_subtechnique: true technique: Golden Ticket tactic: - credential-access platform: - Windows data_source: active directory data_component: active directory credential request relationship_id: REL-2022-0100 name: User requested AD Credential source: user relationship: requested target: ad credential event_id: '4769' event_name: A Kerberos service ticket was requested. event_platform: windows audit_category: Account Logon audit_sub_category: Kerberos Service Ticket Operations channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558.001 is_subtechnique: true technique: Golden Ticket tactic: - credential-access platform: - Windows data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4703' event_name: A token right was adjusted. event_platform: windows audit_category: Policy Change audit_sub_category: Authorization Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558.001 is_subtechnique: true technique: Golden Ticket tactic: - credential-access platform: - Windows data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4673' event_name: A privileged service was called. event_platform: windows audit_category: Privilege Use audit_sub_category: Sensitive Privilege Use channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558.001 is_subtechnique: true technique: Golden Ticket tactic: - credential-access platform: - Windows data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4674' event_name: An operation was attempted on a privileged object. event_platform: windows audit_category: Privilege Use audit_sub_category: Sensitive Privilege Use channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558.001 is_subtechnique: true technique: Golden Ticket tactic: - credential-access platform: - Windows data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4610' event_name: An authentication package has been loaded by the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558.001 is_subtechnique: true technique: Golden Ticket tactic: - credential-access platform: - Windows data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4611' event_name: A trusted logon process has been registered with the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558.001 is_subtechnique: true technique: Golden Ticket tactic: - credential-access platform: - Windows data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4614' event_name: A notification package has been loaded by the Security Account Manager. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558.001 is_subtechnique: true technique: Golden Ticket tactic: - credential-access platform: - Windows data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4622' event_name: A security package has been loaded by the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558 is_subtechnique: .nan technique: Steal or Forge Kerberos Tickets tactic: - credential-access platform: - Windows - Linux - macOS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4703' event_name: A token right was adjusted. event_platform: windows audit_category: Policy Change audit_sub_category: Authorization Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558 is_subtechnique: .nan technique: Steal or Forge Kerberos Tickets tactic: - credential-access platform: - Windows - Linux - macOS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4673' event_name: A privileged service was called. event_platform: windows audit_category: Privilege Use audit_sub_category: Sensitive Privilege Use channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558 is_subtechnique: .nan technique: Steal or Forge Kerberos Tickets tactic: - credential-access platform: - Windows - Linux - macOS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4674' event_name: An operation was attempted on a privileged object. event_platform: windows audit_category: Privilege Use audit_sub_category: Sensitive Privilege Use channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558 is_subtechnique: .nan technique: Steal or Forge Kerberos Tickets tactic: - credential-access platform: - Windows - Linux - macOS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4610' event_name: An authentication package has been loaded by the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558 is_subtechnique: .nan technique: Steal or Forge Kerberos Tickets tactic: - credential-access platform: - Windows - Linux - macOS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4611' event_name: A trusted logon process has been registered with the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558 is_subtechnique: .nan technique: Steal or Forge Kerberos Tickets tactic: - credential-access platform: - Windows - Linux - macOS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4614' event_name: A notification package has been loaded by the Security Account Manager. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558 is_subtechnique: .nan technique: Steal or Forge Kerberos Tickets tactic: - credential-access platform: - Windows - Linux - macOS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4622' event_name: A security package has been loaded by the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558 is_subtechnique: .nan technique: Steal or Forge Kerberos Tickets tactic: - credential-access platform: - Windows - Linux - macOS data_source: active directory data_component: active directory credential request relationship_id: REL-2022-0100 name: User requested AD Credential source: user relationship: requested target: ad credential event_id: '4768' event_name: A Kerberos authentication ticket (TGT) was requested. event_platform: windows audit_category: Account Logon audit_sub_category: Kerberos Authentication Service channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558 is_subtechnique: .nan technique: Steal or Forge Kerberos Tickets tactic: - credential-access platform: - Windows - Linux - macOS data_source: active directory data_component: active directory credential request relationship_id: REL-2022-0100 name: User requested AD Credential source: user relationship: requested target: ad credential event_id: '4769' event_name: A Kerberos service ticket was requested. event_platform: windows audit_category: Account Logon audit_sub_category: Kerberos Service Ticket Operations channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558 is_subtechnique: .nan technique: Steal or Forge Kerberos Tickets tactic: - credential-access platform: - Windows - Linux - macOS data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1558 is_subtechnique: .nan technique: Steal or Forge Kerberos Tickets tactic: - credential-access platform: - Windows - Linux - macOS data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1558 is_subtechnique: .nan technique: Steal or Forge Kerberos Tickets tactic: - credential-access platform: - Windows - Linux - macOS data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1558 is_subtechnique: .nan technique: Steal or Forge Kerberos Tickets tactic: - credential-access platform: - Windows - Linux - macOS data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1558 is_subtechnique: .nan technique: Steal or Forge Kerberos Tickets tactic: - credential-access platform: - Windows - Linux - macOS data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558 is_subtechnique: .nan technique: Steal or Forge Kerberos Tickets tactic: - credential-access platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558 is_subtechnique: .nan technique: Steal or Forge Kerberos Tickets tactic: - credential-access platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1558 is_subtechnique: .nan technique: Steal or Forge Kerberos Tickets tactic: - credential-access platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1558 is_subtechnique: .nan technique: Steal or Forge Kerberos Tickets tactic: - credential-access platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1558 is_subtechnique: .nan technique: Steal or Forge Kerberos Tickets tactic: - credential-access platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558 is_subtechnique: .nan technique: Steal or Forge Kerberos Tickets tactic: - credential-access platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1558 is_subtechnique: .nan technique: Steal or Forge Kerberos Tickets tactic: - credential-access platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1558 is_subtechnique: .nan technique: Steal or Forge Kerberos Tickets tactic: - credential-access platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1558 is_subtechnique: .nan technique: Steal or Forge Kerberos Tickets tactic: - credential-access platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1557.001 is_subtechnique: true technique: LLMNR/NBT-NS Poisoning and SMB Relay tactic: - credential-access - collection platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1557.001 is_subtechnique: true technique: LLMNR/NBT-NS Poisoning and SMB Relay tactic: - credential-access - collection platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1557.001 is_subtechnique: true technique: LLMNR/NBT-NS Poisoning and SMB Relay tactic: - credential-access - collection platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1557.001 is_subtechnique: true technique: LLMNR/NBT-NS Poisoning and SMB Relay tactic: - credential-access - collection platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1557.001 is_subtechnique: true technique: LLMNR/NBT-NS Poisoning and SMB Relay tactic: - credential-access - collection platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1557.001 is_subtechnique: true technique: LLMNR/NBT-NS Poisoning and SMB Relay tactic: - credential-access - collection platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1557.001 is_subtechnique: true technique: LLMNR/NBT-NS Poisoning and SMB Relay tactic: - credential-access - collection platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1557.001 is_subtechnique: true technique: LLMNR/NBT-NS Poisoning and SMB Relay tactic: - credential-access - collection platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1557.001 is_subtechnique: true technique: LLMNR/NBT-NS Poisoning and SMB Relay tactic: - credential-access - collection platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1557.001 is_subtechnique: true technique: LLMNR/NBT-NS Poisoning and SMB Relay tactic: - credential-access - collection platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1557.001 is_subtechnique: true technique: LLMNR/NBT-NS Poisoning and SMB Relay tactic: - credential-access - collection platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1557.001 is_subtechnique: true technique: LLMNR/NBT-NS Poisoning and SMB Relay tactic: - credential-access - collection platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1557.001 is_subtechnique: true technique: LLMNR/NBT-NS Poisoning and SMB Relay tactic: - credential-access - collection platform: - Windows data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: '4697' event_name: A service was installed in the system. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1557.001 is_subtechnique: true technique: LLMNR/NBT-NS Poisoning and SMB Relay tactic: - credential-access - collection platform: - Windows data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: '7045' event_name: A new service was installed in the system. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: Service Control Manager filter_in: .nan - technique_id: T1557.001 is_subtechnique: true technique: LLMNR/NBT-NS Poisoning and SMB Relay tactic: - credential-access - collection platform: - Windows data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ServiceInstalled - technique_id: T1557 is_subtechnique: false technique: Adversary-in-the-Middle tactic: - credential-access - collection platform: - Windows - macOS - Linux data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: '4697' event_name: A service was installed in the system. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1557 is_subtechnique: false technique: Adversary-in-the-Middle tactic: - credential-access - collection platform: - Windows - macOS - Linux data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: '7045' event_name: A new service was installed in the system. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: Service Control Manager filter_in: .nan - technique_id: T1557 is_subtechnique: false technique: Adversary-in-the-Middle tactic: - credential-access - collection platform: - Windows - macOS - Linux data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ServiceInstalled - technique_id: T1557 is_subtechnique: false technique: Adversary-in-the-Middle tactic: - credential-access - collection platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1557 is_subtechnique: false technique: Adversary-in-the-Middle tactic: - credential-access - collection platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1557 is_subtechnique: false technique: Adversary-in-the-Middle tactic: - credential-access - collection platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1557 is_subtechnique: false technique: Adversary-in-the-Middle tactic: - credential-access - collection platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1557 is_subtechnique: false technique: Adversary-in-the-Middle tactic: - credential-access - collection platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1557 is_subtechnique: false technique: Adversary-in-the-Middle tactic: - credential-access - collection platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1557 is_subtechnique: false technique: Adversary-in-the-Middle tactic: - credential-access - collection platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1557 is_subtechnique: false technique: Adversary-in-the-Middle tactic: - credential-access - collection platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1557 is_subtechnique: false technique: Adversary-in-the-Middle tactic: - credential-access - collection platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1557 is_subtechnique: false technique: Adversary-in-the-Middle tactic: - credential-access - collection platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1557 is_subtechnique: false technique: Adversary-in-the-Middle tactic: - credential-access - collection platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1557 is_subtechnique: false technique: Adversary-in-the-Middle tactic: - credential-access - collection platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1556.002 is_subtechnique: true technique: Password Filter DLL tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1556.002 is_subtechnique: true technique: Password Filter DLL tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1556.002 is_subtechnique: true technique: Password Filter DLL tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1556.002 is_subtechnique: true technique: Password Filter DLL tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1556.002 is_subtechnique: true technique: Password Filter DLL tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1556.002 is_subtechnique: true technique: Password Filter DLL tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1556.002 is_subtechnique: true technique: Password Filter DLL tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1556.002 is_subtechnique: true technique: Password Filter DLL tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556.002 is_subtechnique: true technique: Password Filter DLL tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1556.002 is_subtechnique: true technique: Password Filter DLL tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1556.002 is_subtechnique: true technique: Password Filter DLL tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1556.002 is_subtechnique: true technique: Password Filter DLL tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1556.002 is_subtechnique: true technique: Password Filter DLL tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1556.002 is_subtechnique: true technique: Password Filter DLL tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556.002 is_subtechnique: true technique: Password Filter DLL tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1556.002 is_subtechnique: true technique: Password Filter DLL tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1556.002 is_subtechnique: true technique: Password Filter DLL tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1556.002 is_subtechnique: true technique: Password Filter DLL tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556.002 is_subtechnique: true technique: Password Filter DLL tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1556.002 is_subtechnique: true technique: Password Filter DLL tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1556.002 is_subtechnique: true technique: Password Filter DLL tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '10' event_name: Process Access. event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '10' event_name: ProcessAccess event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556.001 is_subtechnique: true technique: Domain Controller Authentication tactic: - credential-access - defense-evasion - persistence platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '10' event_name: Process Access. event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '10' event_name: ProcessAccess event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1556 is_subtechnique: .nan technique: Modify Authentication Process tactic: - credential-access - defense-evasion - persistence platform: - Windows - Linux - macOS - Network data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1056.004 is_subtechnique: true technique: Credential API Hooking tactic: - collection - credential-access platform: - Windows data_source: process data_component: process metadata relationship_id: REL-2022-0029 name: Process terminated source: process relationship: terminated target: null event_id: '5' event_name: Process terminated. event_platform: windows audit_category: ProcessTerminate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056.004 is_subtechnique: true technique: Credential API Hooking tactic: - collection - credential-access platform: - Windows data_source: process data_component: process metadata relationship_id: REL-2022-0073 name: Process searched LDAP source: process relationship: searched target: ldap event_id: '30' event_name: EventID(30) event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-LDAP-Client/Debug filter_in: .nan - technique_id: T1056.004 is_subtechnique: true technique: Credential API Hooking tactic: - collection - credential-access platform: - Windows data_source: process data_component: process metadata relationship_id: REL-2022-0073 name: Process searched LDAP source: process relationship: searched target: ldap event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LdapSearch - technique_id: T1056.004 is_subtechnique: true technique: Credential API Hooking tactic: - collection - credential-access platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056.004 is_subtechnique: true technique: Credential API Hooking tactic: - collection - credential-access platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1056.003 is_subtechnique: true technique: Web Portal Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1056.003 is_subtechnique: true technique: Web Portal Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1056.003 is_subtechnique: true technique: Web Portal Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056.003 is_subtechnique: true technique: Web Portal Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056.003 is_subtechnique: true technique: Web Portal Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1056.003 is_subtechnique: true technique: Web Portal Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1056.003 is_subtechnique: true technique: Web Portal Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1056.002 is_subtechnique: true technique: GUI Input Capture tactic: - collection - credential-access platform: - macOS - Windows - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1056.002 is_subtechnique: true technique: GUI Input Capture tactic: - collection - credential-access platform: - macOS - Windows - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1056.002 is_subtechnique: true technique: GUI Input Capture tactic: - collection - credential-access platform: - macOS - Windows - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1056.002 is_subtechnique: true technique: GUI Input Capture tactic: - collection - credential-access platform: - macOS - Windows - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1056.002 is_subtechnique: true technique: GUI Input Capture tactic: - collection - credential-access platform: - macOS - Windows - Linux data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1056.002 is_subtechnique: true technique: GUI Input Capture tactic: - collection - credential-access platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1056.002 is_subtechnique: true technique: GUI Input Capture tactic: - collection - credential-access platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056.002 is_subtechnique: true technique: GUI Input Capture tactic: - collection - credential-access platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1056.002 is_subtechnique: true technique: GUI Input Capture tactic: - collection - credential-access platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1056.002 is_subtechnique: true technique: GUI Input Capture tactic: - collection - credential-access platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056.002 is_subtechnique: true technique: GUI Input Capture tactic: - collection - credential-access platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1056.002 is_subtechnique: true technique: GUI Input Capture tactic: - collection - credential-access platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1056.002 is_subtechnique: true technique: GUI Input Capture tactic: - collection - credential-access platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056.002 is_subtechnique: true technique: GUI Input Capture tactic: - collection - credential-access platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1056.002 is_subtechnique: true technique: GUI Input Capture tactic: - collection - credential-access platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1056.002 is_subtechnique: true technique: GUI Input Capture tactic: - collection - credential-access platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1056.002 is_subtechnique: true technique: GUI Input Capture tactic: - collection - credential-access platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056.002 is_subtechnique: true technique: GUI Input Capture tactic: - collection - credential-access platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1056.002 is_subtechnique: true technique: GUI Input Capture tactic: - collection - credential-access platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1056.002 is_subtechnique: true technique: GUI Input Capture tactic: - collection - credential-access platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1056.002 is_subtechnique: true technique: GUI Input Capture tactic: - collection - credential-access platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056.002 is_subtechnique: true technique: GUI Input Capture tactic: - collection - credential-access platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1056.002 is_subtechnique: true technique: GUI Input Capture tactic: - collection - credential-access platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1056.002 is_subtechnique: true technique: GUI Input Capture tactic: - collection - credential-access platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1056.001 is_subtechnique: true technique: Keylogging tactic: - collection - credential-access platform: - Windows - macOS - Linux - Network data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056.001 is_subtechnique: true technique: Keylogging tactic: - collection - credential-access platform: - Windows - macOS - Linux - Network data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1056.001 is_subtechnique: true technique: Keylogging tactic: - collection - credential-access platform: - Windows - macOS - Linux - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056.001 is_subtechnique: true technique: Keylogging tactic: - collection - credential-access platform: - Windows - macOS - Linux - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056.001 is_subtechnique: true technique: Keylogging tactic: - collection - credential-access platform: - Windows - macOS - Linux - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1056.001 is_subtechnique: true technique: Keylogging tactic: - collection - credential-access platform: - Windows - macOS - Linux - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1056.001 is_subtechnique: true technique: Keylogging tactic: - collection - credential-access platform: - Windows - macOS - Linux - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1056.001 is_subtechnique: true technique: Keylogging tactic: - collection - credential-access platform: - Windows - macOS - Linux - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1056.001 is_subtechnique: true technique: Keylogging tactic: - collection - credential-access platform: - Windows - macOS - Linux - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1056.001 is_subtechnique: true technique: Keylogging tactic: - collection - credential-access platform: - Windows - macOS - Linux - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056.001 is_subtechnique: true technique: Keylogging tactic: - collection - credential-access platform: - Windows - macOS - Linux - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1056.001 is_subtechnique: true technique: Keylogging tactic: - collection - credential-access platform: - Windows - macOS - Linux - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1056.001 is_subtechnique: true technique: Keylogging tactic: - collection - credential-access platform: - Windows - macOS - Linux - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1056.001 is_subtechnique: true technique: Keylogging tactic: - collection - credential-access platform: - Windows - macOS - Linux - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1056.001 is_subtechnique: true technique: Keylogging tactic: - collection - credential-access platform: - Windows - macOS - Linux - Network data_source: driver data_component: driver load relationship_id: REL-2022-0126 name: Driver loaded source: driver relationship: loaded target: null event_id: '6' event_name: Driver loaded. event_platform: windows audit_category: DriverLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056.001 is_subtechnique: true technique: Keylogging tactic: - collection - credential-access platform: - Windows - macOS - Linux - Network data_source: driver data_component: driver load relationship_id: REL-2022-0126 name: Driver loaded source: driver relationship: loaded target: null event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: DriverLoaded - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '10' event_name: Process Access. event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '10' event_name: ProcessAccess event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1555 is_subtechnique: .nan technique: Credentials from Password Stores tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1003.008 is_subtechnique: true technique: /etc/passwd and /etc/shadow tactic: - credential-access platform: - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1003.007 is_subtechnique: true technique: Proc Filesystem tactic: - credential-access platform: - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1003.006 is_subtechnique: true technique: DCSync tactic: - credential-access platform: - Windows data_source: active directory data_component: active directory object access relationship_id: REL-2022-0015 name: User requested access to AD Object source: user relationship: requested access to target: ad object event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Access channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1003.006 is_subtechnique: true technique: DCSync tactic: - credential-access platform: - Windows data_source: active directory data_component: active directory object access relationship_id: REL-2022-0085 name: User accessed AD Object source: user relationship: accessed target: ad object event_id: '4662' event_name: An operation was performed on an object. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Access channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1003.006 is_subtechnique: true technique: DCSync tactic: - credential-access platform: - Windows data_source: active directory data_component: active directory object access relationship_id: REL-2022-0085 name: User accessed AD Object source: user relationship: accessed target: ad object event_id: '4932' event_name: Synchronization of a replica of an Active Directory naming context has begun. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Replication channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558.003 is_subtechnique: true technique: Kerberoasting tactic: - credential-access platform: - Windows data_source: active directory data_component: active directory credential request relationship_id: REL-2022-0100 name: User requested AD Credential source: user relationship: requested target: ad credential event_id: '4768' event_name: A Kerberos authentication ticket (TGT) was requested. event_platform: windows audit_category: Account Logon audit_sub_category: Kerberos Authentication Service channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1558.003 is_subtechnique: true technique: Kerberoasting tactic: - credential-access platform: - Windows data_source: active directory data_component: active directory credential request relationship_id: REL-2022-0100 name: User requested AD Credential source: user relationship: requested target: ad credential event_id: '4769' event_name: A Kerberos service ticket was requested. event_platform: windows audit_category: Account Logon audit_sub_category: Kerberos Service Ticket Operations channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552.006 is_subtechnique: true technique: Group Policy Preferences tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1552.006 is_subtechnique: true technique: Group Policy Preferences tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1552.006 is_subtechnique: true technique: Group Policy Preferences tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1552.006 is_subtechnique: true technique: Group Policy Preferences tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1552.006 is_subtechnique: true technique: Group Policy Preferences tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552.006 is_subtechnique: true technique: Group Policy Preferences tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552.006 is_subtechnique: true technique: Group Policy Preferences tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1552.006 is_subtechnique: true technique: Group Policy Preferences tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1552.006 is_subtechnique: true technique: Group Policy Preferences tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1552.006 is_subtechnique: true technique: Group Policy Preferences tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552.006 is_subtechnique: true technique: Group Policy Preferences tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1552.006 is_subtechnique: true technique: Group Policy Preferences tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1552.006 is_subtechnique: true technique: Group Policy Preferences tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1003.003 is_subtechnique: true technique: NTDS tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1003.003 is_subtechnique: true technique: NTDS tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1003.003 is_subtechnique: true technique: NTDS tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1003.003 is_subtechnique: true technique: NTDS tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1003.003 is_subtechnique: true technique: NTDS tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1003.003 is_subtechnique: true technique: NTDS tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1003.003 is_subtechnique: true technique: NTDS tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1003.003 is_subtechnique: true technique: NTDS tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1003.003 is_subtechnique: true technique: NTDS tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1003.003 is_subtechnique: true technique: NTDS tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1003.003 is_subtechnique: true technique: NTDS tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1003.003 is_subtechnique: true technique: NTDS tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1003.003 is_subtechnique: true technique: NTDS tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1003.002 is_subtechnique: true technique: Security Account Manager tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1003.002 is_subtechnique: true technique: Security Account Manager tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1003.002 is_subtechnique: true technique: Security Account Manager tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1003.002 is_subtechnique: true technique: Security Account Manager tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1003.002 is_subtechnique: true technique: Security Account Manager tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1003.002 is_subtechnique: true technique: Security Account Manager tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1003.002 is_subtechnique: true technique: Security Account Manager tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1003.002 is_subtechnique: true technique: Security Account Manager tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1003.002 is_subtechnique: true technique: Security Account Manager tactic: - credential-access platform: - Windows data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0048 name: Process accessed Registry source: process relationship: accessed target: registry event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1003.002 is_subtechnique: true technique: Security Account Manager tactic: - credential-access platform: - Windows data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0077 name: User accessed Registry source: user relationship: accessed target: registry event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1003.002 is_subtechnique: true technique: Security Account Manager tactic: - credential-access platform: - Windows data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0070 name: Process requested access to Registry source: process relationship: requested access to target: registry event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1003.002 is_subtechnique: true technique: Security Account Manager tactic: - credential-access platform: - Windows data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0013 name: User requested access to Registry source: user relationship: requested access to target: registry event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1003.002 is_subtechnique: true technique: Security Account Manager tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1003.002 is_subtechnique: true technique: Security Account Manager tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1003.002 is_subtechnique: true technique: Security Account Manager tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1003.002 is_subtechnique: true technique: Security Account Manager tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1003.002 is_subtechnique: true technique: Security Account Manager tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '10' event_name: Process Access. event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '10' event_name: ProcessAccess event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1003.001 is_subtechnique: true technique: LSASS Memory tactic: - credential-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1110.004 is_subtechnique: true technique: Credential Stuffing tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.004 is_subtechnique: true technique: Credential Stuffing tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.004 is_subtechnique: true technique: Credential Stuffing tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.004 is_subtechnique: true technique: Credential Stuffing tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1110.004 is_subtechnique: true technique: Credential Stuffing tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0122 name: User attempted to authenticate from Device source: user relationship: attempted to authenticate from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.004 is_subtechnique: true technique: Credential Stuffing tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0163 name: User authenticated from Device source: user relationship: authenticated from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.004 is_subtechnique: true technique: Credential Stuffing tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.004 is_subtechnique: true technique: Credential Stuffing tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.004 is_subtechnique: true technique: Credential Stuffing tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.004 is_subtechnique: true technique: Credential Stuffing tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1110.003 is_subtechnique: true technique: Password Spraying tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.003 is_subtechnique: true technique: Password Spraying tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.003 is_subtechnique: true technique: Password Spraying tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.003 is_subtechnique: true technique: Password Spraying tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1110.003 is_subtechnique: true technique: Password Spraying tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0122 name: User attempted to authenticate from Device source: user relationship: attempted to authenticate from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.003 is_subtechnique: true technique: Password Spraying tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0163 name: User authenticated from Device source: user relationship: authenticated from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.003 is_subtechnique: true technique: Password Spraying tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.003 is_subtechnique: true technique: Password Spraying tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.003 is_subtechnique: true technique: Password Spraying tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.003 is_subtechnique: true technique: Password Spraying tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1110.002 is_subtechnique: true technique: Password Cracking tactic: - credential-access platform: - Linux - macOS - Windows - Office 365 - Azure AD - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.002 is_subtechnique: true technique: Password Cracking tactic: - credential-access platform: - Linux - macOS - Windows - Office 365 - Azure AD - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.002 is_subtechnique: true technique: Password Cracking tactic: - credential-access platform: - Linux - macOS - Windows - Office 365 - Azure AD - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.002 is_subtechnique: true technique: Password Cracking tactic: - credential-access platform: - Linux - macOS - Windows - Office 365 - Azure AD - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1110.002 is_subtechnique: true technique: Password Cracking tactic: - credential-access platform: - Linux - macOS - Windows - Office 365 - Azure AD - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0122 name: User attempted to authenticate from Device source: user relationship: attempted to authenticate from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.002 is_subtechnique: true technique: Password Cracking tactic: - credential-access platform: - Linux - macOS - Windows - Office 365 - Azure AD - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0163 name: User authenticated from Device source: user relationship: authenticated from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.002 is_subtechnique: true technique: Password Cracking tactic: - credential-access platform: - Linux - macOS - Windows - Office 365 - Azure AD - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.002 is_subtechnique: true technique: Password Cracking tactic: - credential-access platform: - Linux - macOS - Windows - Office 365 - Azure AD - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.002 is_subtechnique: true technique: Password Cracking tactic: - credential-access platform: - Linux - macOS - Windows - Office 365 - Azure AD - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.002 is_subtechnique: true technique: Password Cracking tactic: - credential-access platform: - Linux - macOS - Windows - Office 365 - Azure AD - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1110.001 is_subtechnique: true technique: Password Guessing tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.001 is_subtechnique: true technique: Password Guessing tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.001 is_subtechnique: true technique: Password Guessing tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.001 is_subtechnique: true technique: Password Guessing tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1110.001 is_subtechnique: true technique: Password Guessing tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0122 name: User attempted to authenticate from Device source: user relationship: attempted to authenticate from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.001 is_subtechnique: true technique: Password Guessing tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0163 name: User authenticated from Device source: user relationship: authenticated from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.001 is_subtechnique: true technique: Password Guessing tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.001 is_subtechnique: true technique: Password Guessing tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.001 is_subtechnique: true technique: Password Guessing tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110.001 is_subtechnique: true technique: Password Guessing tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: service data_component: service metadata relationship_id: REL-2022-0094 name: Service stopped source: service relationship: stopped target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: service data_component: service metadata relationship_id: REL-2022-0094 name: Service stopped source: service relationship: stopped target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: service data_component: service metadata relationship_id: REL-2022-0184 name: Service started source: service relationship: started target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: service data_component: service metadata relationship_id: REL-2022-0184 name: Service started source: service relationship: started target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.006 is_subtechnique: true technique: Windows Remote Management tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.005 is_subtechnique: true technique: VNC tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1021.004 is_subtechnique: true technique: SSH tactic: - lateral-movement platform: - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.004 is_subtechnique: true technique: SSH tactic: - lateral-movement platform: - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.004 is_subtechnique: true technique: SSH tactic: - lateral-movement platform: - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.004 is_subtechnique: true technique: SSH tactic: - lateral-movement platform: - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.004 is_subtechnique: true technique: SSH tactic: - lateral-movement platform: - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.004 is_subtechnique: true technique: SSH tactic: - lateral-movement platform: - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.004 is_subtechnique: true technique: SSH tactic: - lateral-movement platform: - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.004 is_subtechnique: true technique: SSH tactic: - lateral-movement platform: - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.004 is_subtechnique: true technique: SSH tactic: - lateral-movement platform: - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.004 is_subtechnique: true technique: SSH tactic: - lateral-movement platform: - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.004 is_subtechnique: true technique: SSH tactic: - lateral-movement platform: - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.004 is_subtechnique: true technique: SSH tactic: - lateral-movement platform: - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.004 is_subtechnique: true technique: SSH tactic: - lateral-movement platform: - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.004 is_subtechnique: true technique: SSH tactic: - lateral-movement platform: - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.003 is_subtechnique: true technique: Distributed Component Object Model tactic: - lateral-movement platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network share data_component: network share access relationship_id: REL-2022-0078 name: User attempted to access Network Share source: user relationship: attempted to access target: network share event_id: '5140' event_name: A network share object was accessed. event_platform: windows audit_category: Object Access audit_sub_category: File Share channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network share data_component: network share access relationship_id: REL-2022-0078 name: User attempted to access Network Share source: user relationship: attempted to access target: network share event_id: '5145' event_name: A network share object was checked to see whether client can be granted desired access. event_platform: windows audit_category: Object Access audit_sub_category: Detailed File Share channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: network share data_component: network share access relationship_id: REL-2022-0078 name: User attempted to access Network Share source: user relationship: attempted to access target: network share event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1021.002 is_subtechnique: true technique: SMB/Windows Admin Shares tactic: - lateral-movement platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021.001 is_subtechnique: true technique: Remote Desktop Protocol tactic: - lateral-movement platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: windows audit_category: FileDelete audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: linux audit_category: FileDelete audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '26' event_name: File Delete logged. event_platform: windows audit_category: FileDeleteDetected audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileDeleted - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: windows audit_category: FileDelete audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: linux audit_category: FileDelete audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '26' event_name: File Delete logged. event_platform: windows audit_category: FileDeleteDetected audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileDeleted - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1554 is_subtechnique: .nan technique: Compromise Client Software Binary tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1036.005 is_subtechnique: true technique: Match Legitimate Name or Location tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: process data_component: process metadata relationship_id: REL-2022-0029 name: Process terminated source: process relationship: terminated target: null event_id: '5' event_name: Process terminated. event_platform: windows audit_category: ProcessTerminate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1036.005 is_subtechnique: true technique: Match Legitimate Name or Location tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: process data_component: process metadata relationship_id: REL-2022-0029 name: Process terminated source: process relationship: terminated target: null event_id: '5' event_name: Process terminated. event_platform: linux audit_category: ProcessTerminate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1036.005 is_subtechnique: true technique: Match Legitimate Name or Location tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: process data_component: process metadata relationship_id: REL-2022-0073 name: Process searched LDAP source: process relationship: searched target: ldap event_id: '30' event_name: EventID(30) event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-LDAP-Client/Debug filter_in: .nan - technique_id: T1036.005 is_subtechnique: true technique: Match Legitimate Name or Location tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: process data_component: process metadata relationship_id: REL-2022-0073 name: Process searched LDAP source: process relationship: searched target: ldap event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LdapSearch - technique_id: T1036.004 is_subtechnique: true technique: Masquerade Task or Service tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: scheduled job data_component: scheduled job modification relationship_id: REL-2022-0119 name: User modified Schedule job source: user relationship: modified target: schedule job event_id: '4702' event_name: A scheduled task was updated. event_platform: windows audit_category: Object Access audit_sub_category: Other Object Access Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1036.004 is_subtechnique: true technique: Masquerade Task or Service tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: scheduled job data_component: scheduled job modification relationship_id: REL-2022-0119 name: User modified Schedule job source: user relationship: modified target: schedule job event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScheduledTaskUpdated - technique_id: T1036.004 is_subtechnique: true technique: Masquerade Task or Service tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: scheduled job data_component: scheduled job modification relationship_id: REL-2022-0148 name: User enabled Scheduled job source: user relationship: enabled target: scheduled job event_id: '4700' event_name: A scheduled task was enabled. event_platform: windows audit_category: Object Access audit_sub_category: Other Object Access Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1036.004 is_subtechnique: true technique: Masquerade Task or Service tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: scheduled job data_component: scheduled job modification relationship_id: REL-2022-0148 name: User enabled Scheduled job source: user relationship: enabled target: scheduled job event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScheduledTaskModified - technique_id: T1036.004 is_subtechnique: true technique: Masquerade Task or Service tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: scheduled job data_component: scheduled job modification relationship_id: REL-2022-0167 name: User disabled Scheduled job source: user relationship: disabled target: scheduled job event_id: '4701' event_name: A scheduled task was disabled. event_platform: windows audit_category: Object Access audit_sub_category: Other Object Access Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1036.004 is_subtechnique: true technique: Masquerade Task or Service tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: scheduled job data_component: scheduled job modification relationship_id: REL-2022-0167 name: User disabled Scheduled job source: user relationship: disabled target: scheduled job event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScheduledTaskModified - technique_id: T1036.004 is_subtechnique: true technique: Masquerade Task or Service tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: '4697' event_name: A service was installed in the system. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1036.004 is_subtechnique: true technique: Masquerade Task or Service tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: '7045' event_name: A new service was installed in the system. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: Service Control Manager filter_in: .nan - technique_id: T1036.004 is_subtechnique: true technique: Masquerade Task or Service tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ServiceInstalled - technique_id: T1036.004 is_subtechnique: true technique: Masquerade Task or Service tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: service data_component: service metadata relationship_id: REL-2022-0094 name: Service stopped source: service relationship: stopped target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1036.004 is_subtechnique: true technique: Masquerade Task or Service tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: service data_component: service metadata relationship_id: REL-2022-0094 name: Service stopped source: service relationship: stopped target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1036.004 is_subtechnique: true technique: Masquerade Task or Service tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: service data_component: service metadata relationship_id: REL-2022-0184 name: Service started source: service relationship: started target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1036.004 is_subtechnique: true technique: Masquerade Task or Service tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: service data_component: service metadata relationship_id: REL-2022-0184 name: Service started source: service relationship: started target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1036.004 is_subtechnique: true technique: Masquerade Task or Service tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1036.004 is_subtechnique: true technique: Masquerade Task or Service tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1036.004 is_subtechnique: true technique: Masquerade Task or Service tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1036.004 is_subtechnique: true technique: Masquerade Task or Service tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1036.004 is_subtechnique: true technique: Masquerade Task or Service tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1036.004 is_subtechnique: true technique: Masquerade Task or Service tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1036.004 is_subtechnique: true technique: Masquerade Task or Service tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1036.004 is_subtechnique: true technique: Masquerade Task or Service tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1036.004 is_subtechnique: true technique: Masquerade Task or Service tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1036.003 is_subtechnique: true technique: Rename System Utilities tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1036.003 is_subtechnique: true technique: Rename System Utilities tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1036.003 is_subtechnique: true technique: Rename System Utilities tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1036.003 is_subtechnique: true technique: Rename System Utilities tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1036.003 is_subtechnique: true technique: Rename System Utilities tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1036.003 is_subtechnique: true technique: Rename System Utilities tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1036.003 is_subtechnique: true technique: Rename System Utilities tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1036.003 is_subtechnique: true technique: Rename System Utilities tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1036.003 is_subtechnique: true technique: Rename System Utilities tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1036.003 is_subtechnique: true technique: Rename System Utilities tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1036.003 is_subtechnique: true technique: Rename System Utilities tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1036.003 is_subtechnique: true technique: Rename System Utilities tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1036.003 is_subtechnique: true technique: Rename System Utilities tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1036.003 is_subtechnique: true technique: Rename System Utilities tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1036.003 is_subtechnique: true technique: Rename System Utilities tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1036.003 is_subtechnique: true technique: Rename System Utilities tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1036.003 is_subtechnique: true technique: Rename System Utilities tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process metadata relationship_id: REL-2022-0029 name: Process terminated source: process relationship: terminated target: null event_id: '5' event_name: Process terminated. event_platform: windows audit_category: ProcessTerminate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1036.003 is_subtechnique: true technique: Rename System Utilities tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process metadata relationship_id: REL-2022-0029 name: Process terminated source: process relationship: terminated target: null event_id: '5' event_name: Process terminated. event_platform: linux audit_category: ProcessTerminate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1036.003 is_subtechnique: true technique: Rename System Utilities tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process metadata relationship_id: REL-2022-0073 name: Process searched LDAP source: process relationship: searched target: ldap event_id: '30' event_name: EventID(30) event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-LDAP-Client/Debug filter_in: .nan - technique_id: T1036.003 is_subtechnique: true technique: Rename System Utilities tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process metadata relationship_id: REL-2022-0073 name: Process searched LDAP source: process relationship: searched target: ldap event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LdapSearch - technique_id: T1553.003 is_subtechnique: true technique: SIP and Trust Provider Hijacking tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553.003 is_subtechnique: true technique: SIP and Trust Provider Hijacking tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1553.003 is_subtechnique: true technique: SIP and Trust Provider Hijacking tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553.003 is_subtechnique: true technique: SIP and Trust Provider Hijacking tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1553.003 is_subtechnique: true technique: SIP and Trust Provider Hijacking tactic: - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553.003 is_subtechnique: true technique: SIP and Trust Provider Hijacking tactic: - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1553.003 is_subtechnique: true technique: SIP and Trust Provider Hijacking tactic: - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553.003 is_subtechnique: true technique: SIP and Trust Provider Hijacking tactic: - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553.003 is_subtechnique: true technique: SIP and Trust Provider Hijacking tactic: - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553.003 is_subtechnique: true technique: SIP and Trust Provider Hijacking tactic: - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1553.003 is_subtechnique: true technique: SIP and Trust Provider Hijacking tactic: - defense-evasion platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1553.003 is_subtechnique: true technique: SIP and Trust Provider Hijacking tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553.003 is_subtechnique: true technique: SIP and Trust Provider Hijacking tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553.003 is_subtechnique: true technique: SIP and Trust Provider Hijacking tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1553.003 is_subtechnique: true technique: SIP and Trust Provider Hijacking tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553.003 is_subtechnique: true technique: SIP and Trust Provider Hijacking tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1553.003 is_subtechnique: true technique: SIP and Trust Provider Hijacking tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1553.003 is_subtechnique: true technique: SIP and Trust Provider Hijacking tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1553.003 is_subtechnique: true technique: SIP and Trust Provider Hijacking tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553.003 is_subtechnique: true technique: SIP and Trust Provider Hijacking tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1553.003 is_subtechnique: true technique: SIP and Trust Provider Hijacking tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553.003 is_subtechnique: true technique: SIP and Trust Provider Hijacking tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1553.003 is_subtechnique: true technique: SIP and Trust Provider Hijacking tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: New registry value created - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1553 is_subtechnique: false technique: Subvert Trust Controls tactic: - defense-evasion platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1222.002 is_subtechnique: true technique: Linux and Mac File and Directory Permissions Modification tactic: - defense-evasion platform: - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1222.002 is_subtechnique: true technique: Linux and Mac File and Directory Permissions Modification tactic: - defense-evasion platform: - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1222.002 is_subtechnique: true technique: Linux and Mac File and Directory Permissions Modification tactic: - defense-evasion platform: - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1222.001 is_subtechnique: true technique: Windows File and Directory Permissions Modification tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1222.001 is_subtechnique: true technique: Windows File and Directory Permissions Modification tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1222.001 is_subtechnique: true technique: Windows File and Directory Permissions Modification tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1222.001 is_subtechnique: true technique: Windows File and Directory Permissions Modification tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1222.001 is_subtechnique: true technique: Windows File and Directory Permissions Modification tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1222.001 is_subtechnique: true technique: Windows File and Directory Permissions Modification tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1222.001 is_subtechnique: true technique: Windows File and Directory Permissions Modification tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1222.001 is_subtechnique: true technique: Windows File and Directory Permissions Modification tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1222.001 is_subtechnique: true technique: Windows File and Directory Permissions Modification tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1222.001 is_subtechnique: true technique: Windows File and Directory Permissions Modification tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1222.001 is_subtechnique: true technique: Windows File and Directory Permissions Modification tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1222.001 is_subtechnique: true technique: Windows File and Directory Permissions Modification tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1222.001 is_subtechnique: true technique: Windows File and Directory Permissions Modification tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1222.001 is_subtechnique: true technique: Windows File and Directory Permissions Modification tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1222.001 is_subtechnique: true technique: Windows File and Directory Permissions Modification tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1222.001 is_subtechnique: true technique: Windows File and Directory Permissions Modification tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1222.001 is_subtechnique: true technique: Windows File and Directory Permissions Modification tactic: - defense-evasion platform: - Windows data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5136' event_name: A directory service object was modified. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1222.001 is_subtechnique: true technique: Windows File and Directory Permissions Modification tactic: - defense-evasion platform: - Windows data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5139' event_name: A directory service object was moved. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1222.001 is_subtechnique: true technique: Windows File and Directory Permissions Modification tactic: - defense-evasion platform: - Windows data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '4719' event_name: System audit policy was changed. event_platform: windows audit_category: Policy Change audit_sub_category: Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552.004 is_subtechnique: true technique: Private Keys tactic: - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1552.004 is_subtechnique: true technique: Private Keys tactic: - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1552.004 is_subtechnique: true technique: Private Keys tactic: - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1552.004 is_subtechnique: true technique: Private Keys tactic: - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1552.004 is_subtechnique: true technique: Private Keys tactic: - credential-access platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552.004 is_subtechnique: true technique: Private Keys tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552.004 is_subtechnique: true technique: Private Keys tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1552.004 is_subtechnique: true technique: Private Keys tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1552.004 is_subtechnique: true technique: Private Keys tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1552.004 is_subtechnique: true technique: Private Keys tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552.004 is_subtechnique: true technique: Private Keys tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1552.004 is_subtechnique: true technique: Private Keys tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1552.004 is_subtechnique: true technique: Private Keys tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1552.004 is_subtechnique: true technique: Private Keys tactic: - credential-access platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1552.003 is_subtechnique: true technique: Bash History tactic: - credential-access platform: - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1552.002 is_subtechnique: true technique: Credentials in Registry tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552.002 is_subtechnique: true technique: Credentials in Registry tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1552.002 is_subtechnique: true technique: Credentials in Registry tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1552.002 is_subtechnique: true technique: Credentials in Registry tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1552.002 is_subtechnique: true technique: Credentials in Registry tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552.002 is_subtechnique: true technique: Credentials in Registry tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1552.002 is_subtechnique: true technique: Credentials in Registry tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1552.002 is_subtechnique: true technique: Credentials in Registry tactic: - credential-access platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1552.002 is_subtechnique: true technique: Credentials in Registry tactic: - credential-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552.002 is_subtechnique: true technique: Credentials in Registry tactic: - credential-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1552.002 is_subtechnique: true technique: Credentials in Registry tactic: - credential-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1552.002 is_subtechnique: true technique: Credentials in Registry tactic: - credential-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1552.002 is_subtechnique: true technique: Credentials in Registry tactic: - credential-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1552.002 is_subtechnique: true technique: Credentials in Registry tactic: - credential-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552.002 is_subtechnique: true technique: Credentials in Registry tactic: - credential-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1552.002 is_subtechnique: true technique: Credentials in Registry tactic: - credential-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1552.002 is_subtechnique: true technique: Credentials in Registry tactic: - credential-access platform: - Windows data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0048 name: Process accessed Registry source: process relationship: accessed target: registry event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1552.002 is_subtechnique: true technique: Credentials in Registry tactic: - credential-access platform: - Windows data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0077 name: User accessed Registry source: user relationship: accessed target: registry event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1552.002 is_subtechnique: true technique: Credentials in Registry tactic: - credential-access platform: - Windows data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0070 name: Process requested access to Registry source: process relationship: requested access to target: registry event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1552.002 is_subtechnique: true technique: Credentials in Registry tactic: - credential-access platform: - Windows data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0013 name: User requested access to Registry source: user relationship: requested access to target: registry event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1552.001 is_subtechnique: true technique: Credentials In Files tactic: - credential-access platform: - Windows - IaaS - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552.001 is_subtechnique: true technique: Credentials In Files tactic: - credential-access platform: - Windows - IaaS - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1552.001 is_subtechnique: true technique: Credentials In Files tactic: - credential-access platform: - Windows - IaaS - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1552.001 is_subtechnique: true technique: Credentials In Files tactic: - credential-access platform: - Windows - IaaS - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1552.001 is_subtechnique: true technique: Credentials In Files tactic: - credential-access platform: - Windows - IaaS - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552.001 is_subtechnique: true technique: Credentials In Files tactic: - credential-access platform: - Windows - IaaS - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1552.001 is_subtechnique: true technique: Credentials In Files tactic: - credential-access platform: - Windows - IaaS - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1552.001 is_subtechnique: true technique: Credentials In Files tactic: - credential-access platform: - Windows - IaaS - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1552.001 is_subtechnique: true technique: Credentials In Files tactic: - credential-access platform: - Windows - IaaS - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1552.001 is_subtechnique: true technique: Credentials In Files tactic: - credential-access platform: - Windows - IaaS - Linux - macOS - Containers data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1552.001 is_subtechnique: true technique: Credentials In Files tactic: - credential-access platform: - Windows - IaaS - Linux - macOS - Containers data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1552.001 is_subtechnique: true technique: Credentials In Files tactic: - credential-access platform: - Windows - IaaS - Linux - macOS - Containers data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1552.001 is_subtechnique: true technique: Credentials In Files tactic: - credential-access platform: - Windows - IaaS - Linux - macOS - Containers data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1552.001 is_subtechnique: true technique: Credentials In Files tactic: - credential-access platform: - Windows - IaaS - Linux - macOS - Containers data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0048 name: Process accessed Registry source: process relationship: accessed target: registry event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0077 name: User accessed Registry source: user relationship: accessed target: registry event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0070 name: Process requested access to Registry source: process relationship: requested access to target: registry event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0013 name: User requested access to Registry source: user relationship: requested access to target: registry event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0122 name: User attempted to authenticate from Device source: user relationship: attempted to authenticate from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0163 name: User authenticated from Device source: user relationship: authenticated from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1552 is_subtechnique: .nan technique: Unsecured Credentials tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1216.001 is_subtechnique: true technique: PubPrn tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1216.001 is_subtechnique: true technique: PubPrn tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1216.001 is_subtechnique: true technique: PubPrn tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1216.001 is_subtechnique: true technique: PubPrn tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1216.001 is_subtechnique: true technique: PubPrn tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1216.001 is_subtechnique: true technique: PubPrn tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1216.001 is_subtechnique: true technique: PubPrn tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1216.001 is_subtechnique: true technique: PubPrn tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1216.001 is_subtechnique: true technique: PubPrn tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1216.001 is_subtechnique: true technique: PubPrn tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1216.001 is_subtechnique: true technique: PubPrn tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1216.001 is_subtechnique: true technique: PubPrn tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1216.001 is_subtechnique: true technique: PubPrn tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1216.001 is_subtechnique: true technique: PubPrn tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1216.001 is_subtechnique: true technique: PubPrn tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1216.001 is_subtechnique: true technique: PubPrn tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1216.001 is_subtechnique: true technique: PubPrn tactic: - defense-evasion platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1216.001 is_subtechnique: true technique: PubPrn tactic: - defense-evasion platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1216.001 is_subtechnique: true technique: PubPrn tactic: - defense-evasion platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1216.001 is_subtechnique: true technique: PubPrn tactic: - defense-evasion platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1216.001 is_subtechnique: true technique: PubPrn tactic: - defense-evasion platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1070.006 is_subtechnique: true technique: Timestomp tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.006 is_subtechnique: true technique: Timestomp tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1070.006 is_subtechnique: true technique: Timestomp tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.006 is_subtechnique: true technique: Timestomp tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.006 is_subtechnique: true technique: Timestomp tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.006 is_subtechnique: true technique: Timestomp tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1070.006 is_subtechnique: true technique: Timestomp tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0122 name: User attempted to authenticate from Device source: user relationship: attempted to authenticate from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0163 name: User authenticated from Device source: user relationship: authenticated from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.005 is_subtechnique: true technique: Network Share Connection Removal tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1070.004 is_subtechnique: true technique: File Deletion tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.004 is_subtechnique: true technique: File Deletion tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.004 is_subtechnique: true technique: File Deletion tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1070.004 is_subtechnique: true technique: File Deletion tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1070.004 is_subtechnique: true technique: File Deletion tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.004 is_subtechnique: true technique: File Deletion tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.004 is_subtechnique: true technique: File Deletion tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1070.004 is_subtechnique: true technique: File Deletion tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1070.004 is_subtechnique: true technique: File Deletion tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1070.004 is_subtechnique: true technique: File Deletion tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: windows audit_category: FileDelete audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.004 is_subtechnique: true technique: File Deletion tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: linux audit_category: FileDelete audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1070.004 is_subtechnique: true technique: File Deletion tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '26' event_name: File Delete logged. event_platform: windows audit_category: FileDeleteDetected audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.004 is_subtechnique: true technique: File Deletion tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.004 is_subtechnique: true technique: File Deletion tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.004 is_subtechnique: true technique: File Deletion tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileDeleted - technique_id: T1070.004 is_subtechnique: true technique: File Deletion tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: windows audit_category: FileDelete audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.004 is_subtechnique: true technique: File Deletion tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: linux audit_category: FileDelete audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1070.004 is_subtechnique: true technique: File Deletion tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '26' event_name: File Delete logged. event_platform: windows audit_category: FileDeleteDetected audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.004 is_subtechnique: true technique: File Deletion tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.004 is_subtechnique: true technique: File Deletion tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.004 is_subtechnique: true technique: File Deletion tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileDeleted - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0122 name: User attempted to authenticate from Device source: user relationship: attempted to authenticate from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0163 name: User authenticated from Device source: user relationship: authenticated from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: windows audit_category: FileDelete audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: linux audit_category: FileDelete audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '26' event_name: File Delete logged. event_platform: windows audit_category: FileDeleteDetected audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileDeleted - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: windows audit_category: FileDelete audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: linux audit_category: FileDelete audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '26' event_name: File Delete logged. event_platform: windows audit_category: FileDeleteDetected audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileDeleted - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1070.003 is_subtechnique: true technique: Clear Command History tactic: - defense-evasion platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1550.003 is_subtechnique: true technique: Pass the Ticket tactic: - defense-evasion - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.003 is_subtechnique: true technique: Pass the Ticket tactic: - defense-evasion - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.003 is_subtechnique: true technique: Pass the Ticket tactic: - defense-evasion - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1550.003 is_subtechnique: true technique: Pass the Ticket tactic: - defense-evasion - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.003 is_subtechnique: true technique: Pass the Ticket tactic: - defense-evasion - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1550.003 is_subtechnique: true technique: Pass the Ticket tactic: - defense-evasion - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.003 is_subtechnique: true technique: Pass the Ticket tactic: - defense-evasion - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.003 is_subtechnique: true technique: Pass the Ticket tactic: - defense-evasion - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.003 is_subtechnique: true technique: Pass the Ticket tactic: - defense-evasion - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1550.003 is_subtechnique: true technique: Pass the Ticket tactic: - defense-evasion - lateral-movement platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.003 is_subtechnique: true technique: Pass the Ticket tactic: - defense-evasion - lateral-movement platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.003 is_subtechnique: true technique: Pass the Ticket tactic: - defense-evasion - lateral-movement platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.003 is_subtechnique: true technique: Pass the Ticket tactic: - defense-evasion - lateral-movement platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1550.003 is_subtechnique: true technique: Pass the Ticket tactic: - defense-evasion - lateral-movement platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0122 name: User attempted to authenticate from Device source: user relationship: attempted to authenticate from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.003 is_subtechnique: true technique: Pass the Ticket tactic: - defense-evasion - lateral-movement platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0163 name: User authenticated from Device source: user relationship: authenticated from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.003 is_subtechnique: true technique: Pass the Ticket tactic: - defense-evasion - lateral-movement platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.003 is_subtechnique: true technique: Pass the Ticket tactic: - defense-evasion - lateral-movement platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.003 is_subtechnique: true technique: Pass the Ticket tactic: - defense-evasion - lateral-movement platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.003 is_subtechnique: true technique: Pass the Ticket tactic: - defense-evasion - lateral-movement platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1550.003 is_subtechnique: true technique: Pass the Ticket tactic: - defense-evasion - lateral-movement platform: - Windows data_source: active directory data_component: active directory credential request relationship_id: REL-2022-0100 name: User requested AD Credential source: user relationship: requested target: ad credential event_id: '4768' event_name: A Kerberos authentication ticket (TGT) was requested. event_platform: windows audit_category: Account Logon audit_sub_category: Kerberos Authentication Service channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.003 is_subtechnique: true technique: Pass the Ticket tactic: - defense-evasion - lateral-movement platform: - Windows data_source: active directory data_component: active directory credential request relationship_id: REL-2022-0100 name: User requested AD Credential source: user relationship: requested target: ad credential event_id: '4769' event_name: A Kerberos service ticket was requested. event_platform: windows audit_category: Account Logon audit_sub_category: Kerberos Service Ticket Operations channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.002 is_subtechnique: true technique: Pass the Hash tactic: - defense-evasion - lateral-movement platform: - Windows data_source: active directory data_component: active directory credential request relationship_id: REL-2022-0100 name: User requested AD Credential source: user relationship: requested target: ad credential event_id: '4768' event_name: A Kerberos authentication ticket (TGT) was requested. event_platform: windows audit_category: Account Logon audit_sub_category: Kerberos Authentication Service channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.002 is_subtechnique: true technique: Pass the Hash tactic: - defense-evasion - lateral-movement platform: - Windows data_source: active directory data_component: active directory credential request relationship_id: REL-2022-0100 name: User requested AD Credential source: user relationship: requested target: ad credential event_id: '4769' event_name: A Kerberos service ticket was requested. event_platform: windows audit_category: Account Logon audit_sub_category: Kerberos Service Ticket Operations channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.002 is_subtechnique: true technique: Pass the Hash tactic: - defense-evasion - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.002 is_subtechnique: true technique: Pass the Hash tactic: - defense-evasion - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.002 is_subtechnique: true technique: Pass the Hash tactic: - defense-evasion - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1550.002 is_subtechnique: true technique: Pass the Hash tactic: - defense-evasion - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.002 is_subtechnique: true technique: Pass the Hash tactic: - defense-evasion - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1550.002 is_subtechnique: true technique: Pass the Hash tactic: - defense-evasion - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.002 is_subtechnique: true technique: Pass the Hash tactic: - defense-evasion - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.002 is_subtechnique: true technique: Pass the Hash tactic: - defense-evasion - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.002 is_subtechnique: true technique: Pass the Hash tactic: - defense-evasion - lateral-movement platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1550.002 is_subtechnique: true technique: Pass the Hash tactic: - defense-evasion - lateral-movement platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.002 is_subtechnique: true technique: Pass the Hash tactic: - defense-evasion - lateral-movement platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.002 is_subtechnique: true technique: Pass the Hash tactic: - defense-evasion - lateral-movement platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.002 is_subtechnique: true technique: Pass the Hash tactic: - defense-evasion - lateral-movement platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1550.002 is_subtechnique: true technique: Pass the Hash tactic: - defense-evasion - lateral-movement platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0122 name: User attempted to authenticate from Device source: user relationship: attempted to authenticate from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.002 is_subtechnique: true technique: Pass the Hash tactic: - defense-evasion - lateral-movement platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0163 name: User authenticated from Device source: user relationship: authenticated from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.002 is_subtechnique: true technique: Pass the Hash tactic: - defense-evasion - lateral-movement platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.002 is_subtechnique: true technique: Pass the Hash tactic: - defense-evasion - lateral-movement platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.002 is_subtechnique: true technique: Pass the Hash tactic: - defense-evasion - lateral-movement platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550.002 is_subtechnique: true technique: Pass the Hash tactic: - defense-evasion - lateral-movement platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1550 is_subtechnique: .nan technique: Use Alternate Authentication Material tactic: - defense-evasion - lateral-movement platform: - Windows - Office 365 - SaaS - Google Workspace - IaaS - Containers data_source: active directory data_component: active directory credential request relationship_id: REL-2022-0100 name: User requested AD Credential source: user relationship: requested target: ad credential event_id: '4768' event_name: A Kerberos authentication ticket (TGT) was requested. event_platform: windows audit_category: Account Logon audit_sub_category: Kerberos Authentication Service channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550 is_subtechnique: .nan technique: Use Alternate Authentication Material tactic: - defense-evasion - lateral-movement platform: - Windows - Office 365 - SaaS - Google Workspace - IaaS - Containers data_source: active directory data_component: active directory credential request relationship_id: REL-2022-0100 name: User requested AD Credential source: user relationship: requested target: ad credential event_id: '4769' event_name: A Kerberos service ticket was requested. event_platform: windows audit_category: Account Logon audit_sub_category: Kerberos Service Ticket Operations channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550 is_subtechnique: .nan technique: Use Alternate Authentication Material tactic: - defense-evasion - lateral-movement platform: - Windows - Office 365 - SaaS - Google Workspace - IaaS - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550 is_subtechnique: .nan technique: Use Alternate Authentication Material tactic: - defense-evasion - lateral-movement platform: - Windows - Office 365 - SaaS - Google Workspace - IaaS - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550 is_subtechnique: .nan technique: Use Alternate Authentication Material tactic: - defense-evasion - lateral-movement platform: - Windows - Office 365 - SaaS - Google Workspace - IaaS - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1550 is_subtechnique: .nan technique: Use Alternate Authentication Material tactic: - defense-evasion - lateral-movement platform: - Windows - Office 365 - SaaS - Google Workspace - IaaS - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550 is_subtechnique: .nan technique: Use Alternate Authentication Material tactic: - defense-evasion - lateral-movement platform: - Windows - Office 365 - SaaS - Google Workspace - IaaS - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1550 is_subtechnique: .nan technique: Use Alternate Authentication Material tactic: - defense-evasion - lateral-movement platform: - Windows - Office 365 - SaaS - Google Workspace - IaaS - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550 is_subtechnique: .nan technique: Use Alternate Authentication Material tactic: - defense-evasion - lateral-movement platform: - Windows - Office 365 - SaaS - Google Workspace - IaaS - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550 is_subtechnique: .nan technique: Use Alternate Authentication Material tactic: - defense-evasion - lateral-movement platform: - Windows - Office 365 - SaaS - Google Workspace - IaaS - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550 is_subtechnique: .nan technique: Use Alternate Authentication Material tactic: - defense-evasion - lateral-movement platform: - Windows - Office 365 - SaaS - Google Workspace - IaaS - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1550 is_subtechnique: .nan technique: Use Alternate Authentication Material tactic: - defense-evasion - lateral-movement platform: - Windows - Office 365 - SaaS - Google Workspace - IaaS - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550 is_subtechnique: .nan technique: Use Alternate Authentication Material tactic: - defense-evasion - lateral-movement platform: - Windows - Office 365 - SaaS - Google Workspace - IaaS - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550 is_subtechnique: .nan technique: Use Alternate Authentication Material tactic: - defense-evasion - lateral-movement platform: - Windows - Office 365 - SaaS - Google Workspace - IaaS - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550 is_subtechnique: .nan technique: Use Alternate Authentication Material tactic: - defense-evasion - lateral-movement platform: - Windows - Office 365 - SaaS - Google Workspace - IaaS - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1550 is_subtechnique: .nan technique: Use Alternate Authentication Material tactic: - defense-evasion - lateral-movement platform: - Windows - Office 365 - SaaS - Google Workspace - IaaS - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0122 name: User attempted to authenticate from Device source: user relationship: attempted to authenticate from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550 is_subtechnique: .nan technique: Use Alternate Authentication Material tactic: - defense-evasion - lateral-movement platform: - Windows - Office 365 - SaaS - Google Workspace - IaaS - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0163 name: User authenticated from Device source: user relationship: authenticated from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550 is_subtechnique: .nan technique: Use Alternate Authentication Material tactic: - defense-evasion - lateral-movement platform: - Windows - Office 365 - SaaS - Google Workspace - IaaS - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550 is_subtechnique: .nan technique: Use Alternate Authentication Material tactic: - defense-evasion - lateral-movement platform: - Windows - Office 365 - SaaS - Google Workspace - IaaS - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550 is_subtechnique: .nan technique: Use Alternate Authentication Material tactic: - defense-evasion - lateral-movement platform: - Windows - Office 365 - SaaS - Google Workspace - IaaS - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1550 is_subtechnique: .nan technique: Use Alternate Authentication Material tactic: - defense-evasion - lateral-movement platform: - Windows - Office 365 - SaaS - Google Workspace - IaaS - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1548.003 is_subtechnique: true technique: Sudo and Sudo Caching tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1548.003 is_subtechnique: true technique: Sudo and Sudo Caching tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS data_source: process data_component: process metadata relationship_id: REL-2022-0029 name: Process terminated source: process relationship: terminated target: null event_id: '5' event_name: Process terminated. event_platform: linux audit_category: ProcessTerminate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1548.003 is_subtechnique: true technique: Sudo and Sudo Caching tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1548.003 is_subtechnique: true technique: Sudo and Sudo Caching tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process metadata relationship_id: REL-2022-0029 name: Process terminated source: process relationship: terminated target: null event_id: '5' event_name: Process terminated. event_platform: windows audit_category: ProcessTerminate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process metadata relationship_id: REL-2022-0073 name: Process searched LDAP source: process relationship: searched target: ldap event_id: '30' event_name: EventID(30) event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-LDAP-Client/Debug filter_in: .nan - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process metadata relationship_id: REL-2022-0073 name: Process searched LDAP source: process relationship: searched target: ldap event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LdapSearch - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1548.002 is_subtechnique: true technique: Bypass User Account Control tactic: - privilege-escalation - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1548.001 is_subtechnique: true technique: Setuid and Setgid tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process metadata relationship_id: REL-2022-0029 name: Process terminated source: process relationship: terminated target: null event_id: '5' event_name: Process terminated. event_platform: windows audit_category: ProcessTerminate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process metadata relationship_id: REL-2022-0029 name: Process terminated source: process relationship: terminated target: null event_id: '5' event_name: Process terminated. event_platform: linux audit_category: ProcessTerminate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process metadata relationship_id: REL-2022-0073 name: Process searched LDAP source: process relationship: searched target: ldap event_id: '30' event_name: EventID(30) event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-LDAP-Client/Debug filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process metadata relationship_id: REL-2022-0073 name: Process searched LDAP source: process relationship: searched target: ldap event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LdapSearch - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1548 is_subtechnique: .nan technique: Abuse Elevation Control Mechanism tactic: - privilege-escalation - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1070.002 is_subtechnique: true technique: Clear Linux or Mac System Logs tactic: - defense-evasion platform: - Linux - macOS data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: linux audit_category: FileDelete audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1070.002 is_subtechnique: true technique: Clear Linux or Mac System Logs tactic: - defense-evasion platform: - Linux - macOS data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: linux audit_category: FileDelete audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1070.002 is_subtechnique: true technique: Clear Linux or Mac System Logs tactic: - defense-evasion platform: - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1070.001 is_subtechnique: true technique: Clear Windows Event Logs tactic: - defense-evasion platform: - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: windows audit_category: FileDelete audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.001 is_subtechnique: true technique: Clear Windows Event Logs tactic: - defense-evasion platform: - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '26' event_name: File Delete logged. event_platform: windows audit_category: FileDeleteDetected audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.001 is_subtechnique: true technique: Clear Windows Event Logs tactic: - defense-evasion platform: - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.001 is_subtechnique: true technique: Clear Windows Event Logs tactic: - defense-evasion platform: - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.001 is_subtechnique: true technique: Clear Windows Event Logs tactic: - defense-evasion platform: - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileDeleted - technique_id: T1070.001 is_subtechnique: true technique: Clear Windows Event Logs tactic: - defense-evasion platform: - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: windows audit_category: FileDelete audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.001 is_subtechnique: true technique: Clear Windows Event Logs tactic: - defense-evasion platform: - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '26' event_name: File Delete logged. event_platform: windows audit_category: FileDeleteDetected audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.001 is_subtechnique: true technique: Clear Windows Event Logs tactic: - defense-evasion platform: - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.001 is_subtechnique: true technique: Clear Windows Event Logs tactic: - defense-evasion platform: - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.001 is_subtechnique: true technique: Clear Windows Event Logs tactic: - defense-evasion platform: - Windows data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileDeleted - technique_id: T1070.001 is_subtechnique: true technique: Clear Windows Event Logs tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.001 is_subtechnique: true technique: Clear Windows Event Logs tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.001 is_subtechnique: true technique: Clear Windows Event Logs tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1070.001 is_subtechnique: true technique: Clear Windows Event Logs tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1070.001 is_subtechnique: true technique: Clear Windows Event Logs tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070.001 is_subtechnique: true technique: Clear Windows Event Logs tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.001 is_subtechnique: true technique: Clear Windows Event Logs tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1070.001 is_subtechnique: true technique: Clear Windows Event Logs tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1070.001 is_subtechnique: true technique: Clear Windows Event Logs tactic: - defense-evasion platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070.001 is_subtechnique: true technique: Clear Windows Event Logs tactic: - defense-evasion platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1136.002 is_subtechnique: true technique: Domain Account tactic: - persistence platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1136.002 is_subtechnique: true technique: Domain Account tactic: - persistence platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1136.002 is_subtechnique: true technique: Domain Account tactic: - persistence platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1136.002 is_subtechnique: true technique: Domain Account tactic: - persistence platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1136.002 is_subtechnique: true technique: Domain Account tactic: - persistence platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1136.002 is_subtechnique: true technique: Domain Account tactic: - persistence platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1136.002 is_subtechnique: true technique: Domain Account tactic: - persistence platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1136.002 is_subtechnique: true technique: Domain Account tactic: - persistence platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1136.002 is_subtechnique: true technique: Domain Account tactic: - persistence platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1136.002 is_subtechnique: true technique: Domain Account tactic: - persistence platform: - Windows - macOS - Linux data_source: user account data_component: user account creation relationship_id: REL-2022-0002 name: User created User source: user relationship: created target: user event_id: '4720' event_name: A user account was created. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1136.002 is_subtechnique: true technique: Domain Account tactic: - persistence platform: - Windows - macOS - Linux data_source: user account data_component: user account creation relationship_id: REL-2022-0002 name: User created User source: user relationship: created target: user event_id: '4741' event_name: A computer account was created. event_platform: windows audit_category: Account Management audit_sub_category: Computer Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1136.002 is_subtechnique: true technique: Domain Account tactic: - persistence platform: - Windows - macOS - Linux data_source: user account data_component: user account creation relationship_id: REL-2022-0002 name: User created User source: user relationship: created target: user event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: UserAccountCreated - technique_id: T1136.002 is_subtechnique: true technique: Domain Account tactic: - persistence platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1136.002 is_subtechnique: true technique: Domain Account tactic: - persistence platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1136.002 is_subtechnique: true technique: Domain Account tactic: - persistence platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1136.002 is_subtechnique: true technique: Domain Account tactic: - persistence platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1136.002 is_subtechnique: true technique: Domain Account tactic: - persistence platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1136.002 is_subtechnique: true technique: Domain Account tactic: - persistence platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1136.002 is_subtechnique: true technique: Domain Account tactic: - persistence platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1136.002 is_subtechnique: true technique: Domain Account tactic: - persistence platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1136.002 is_subtechnique: true technique: Domain Account tactic: - persistence platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1136.002 is_subtechnique: true technique: Domain Account tactic: - persistence platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1136.001 is_subtechnique: true technique: Local Account tactic: - persistence platform: - Linux - macOS - Windows data_source: user account data_component: user account creation relationship_id: REL-2022-0002 name: User created User source: user relationship: created target: user event_id: '4720' event_name: A user account was created. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1136.001 is_subtechnique: true technique: Local Account tactic: - persistence platform: - Linux - macOS - Windows data_source: user account data_component: user account creation relationship_id: REL-2022-0002 name: User created User source: user relationship: created target: user event_id: '4741' event_name: A computer account was created. event_platform: windows audit_category: Account Management audit_sub_category: Computer Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1136.001 is_subtechnique: true technique: Local Account tactic: - persistence platform: - Linux - macOS - Windows data_source: user account data_component: user account creation relationship_id: REL-2022-0002 name: User created User source: user relationship: created target: user event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: UserAccountCreated - technique_id: T1136.001 is_subtechnique: true technique: Local Account tactic: - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1136.001 is_subtechnique: true technique: Local Account tactic: - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1136.001 is_subtechnique: true technique: Local Account tactic: - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1136.001 is_subtechnique: true technique: Local Account tactic: - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1136.001 is_subtechnique: true technique: Local Account tactic: - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1136.001 is_subtechnique: true technique: Local Account tactic: - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1136.001 is_subtechnique: true technique: Local Account tactic: - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1136.001 is_subtechnique: true technique: Local Account tactic: - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1136.001 is_subtechnique: true technique: Local Account tactic: - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1136.001 is_subtechnique: true technique: Local Account tactic: - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1136.001 is_subtechnique: true technique: Local Account tactic: - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1136.001 is_subtechnique: true technique: Local Account tactic: - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1136.001 is_subtechnique: true technique: Local Account tactic: - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1136.001 is_subtechnique: true technique: Local Account tactic: - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1136.001 is_subtechnique: true technique: Local Account tactic: - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1136.001 is_subtechnique: true technique: Local Account tactic: - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1136.001 is_subtechnique: true technique: Local Account tactic: - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1136.001 is_subtechnique: true technique: Local Account tactic: - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1136.001 is_subtechnique: true technique: Local Account tactic: - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1547.010 is_subtechnique: true technique: Port Monitors tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1547.010 is_subtechnique: true technique: Port Monitors tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.010 is_subtechnique: true technique: Port Monitors tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.010 is_subtechnique: true technique: Port Monitors tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1547.010 is_subtechnique: true technique: Port Monitors tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.010 is_subtechnique: true technique: Port Monitors tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.010 is_subtechnique: true technique: Port Monitors tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1547.010 is_subtechnique: true technique: Port Monitors tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.010 is_subtechnique: true technique: Port Monitors tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1547.010 is_subtechnique: true technique: Port Monitors tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.010 is_subtechnique: true technique: Port Monitors tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.010 is_subtechnique: true technique: Port Monitors tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1547.010 is_subtechnique: true technique: Port Monitors tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.010 is_subtechnique: true technique: Port Monitors tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1547.010 is_subtechnique: true technique: Port Monitors tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1547.010 is_subtechnique: true technique: Port Monitors tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1547.010 is_subtechnique: true technique: Port Monitors tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.010 is_subtechnique: true technique: Port Monitors tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1547.010 is_subtechnique: true technique: Port Monitors tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.010 is_subtechnique: true technique: Port Monitors tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1547.010 is_subtechnique: true technique: Port Monitors tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1547.010 is_subtechnique: true technique: Port Monitors tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.010 is_subtechnique: true technique: Port Monitors tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1547.009 is_subtechnique: true technique: Shortcut Modification tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.009 is_subtechnique: true technique: Shortcut Modification tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.009 is_subtechnique: true technique: Shortcut Modification tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1547.009 is_subtechnique: true technique: Shortcut Modification tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.009 is_subtechnique: true technique: Shortcut Modification tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1547.009 is_subtechnique: true technique: Shortcut Modification tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.009 is_subtechnique: true technique: Shortcut Modification tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.009 is_subtechnique: true technique: Shortcut Modification tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1547.009 is_subtechnique: true technique: Shortcut Modification tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.009 is_subtechnique: true technique: Shortcut Modification tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1547.009 is_subtechnique: true technique: Shortcut Modification tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.009 is_subtechnique: true technique: Shortcut Modification tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.009 is_subtechnique: true technique: Shortcut Modification tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.009 is_subtechnique: true technique: Shortcut Modification tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1547.009 is_subtechnique: true technique: Shortcut Modification tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1547.009 is_subtechnique: true technique: Shortcut Modification tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1547.009 is_subtechnique: true technique: Shortcut Modification tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.009 is_subtechnique: true technique: Shortcut Modification tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.009 is_subtechnique: true technique: Shortcut Modification tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1547.009 is_subtechnique: true technique: Shortcut Modification tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.008 is_subtechnique: true technique: LSASS Driver tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.008 is_subtechnique: true technique: LSASS Driver tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1547.008 is_subtechnique: true technique: LSASS Driver tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.008 is_subtechnique: true technique: LSASS Driver tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1547.008 is_subtechnique: true technique: LSASS Driver tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.008 is_subtechnique: true technique: LSASS Driver tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1547.008 is_subtechnique: true technique: LSASS Driver tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.008 is_subtechnique: true technique: LSASS Driver tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.008 is_subtechnique: true technique: LSASS Driver tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.008 is_subtechnique: true technique: LSASS Driver tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1547.008 is_subtechnique: true technique: LSASS Driver tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1547.008 is_subtechnique: true technique: LSASS Driver tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1547.008 is_subtechnique: true technique: LSASS Driver tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.008 is_subtechnique: true technique: LSASS Driver tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.008 is_subtechnique: true technique: LSASS Driver tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1547.008 is_subtechnique: true technique: LSASS Driver tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.008 is_subtechnique: true technique: LSASS Driver tactic: - persistence - privilege-escalation platform: - Windows data_source: driver data_component: driver load relationship_id: REL-2022-0126 name: Driver loaded source: driver relationship: loaded target: null event_id: '6' event_name: Driver loaded. event_platform: windows audit_category: DriverLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.008 is_subtechnique: true technique: LSASS Driver tactic: - persistence - privilege-escalation platform: - Windows data_source: driver data_component: driver load relationship_id: REL-2022-0126 name: Driver loaded source: driver relationship: loaded target: null event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: DriverLoaded - technique_id: T1547.006 is_subtechnique: true technique: Kernel Modules and Extensions tactic: - persistence - privilege-escalation platform: - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1547.006 is_subtechnique: true technique: Kernel Modules and Extensions tactic: - persistence - privilege-escalation platform: - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1547.006 is_subtechnique: true technique: Kernel Modules and Extensions tactic: - persistence - privilege-escalation platform: - macOS - Linux data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1547.006 is_subtechnique: true technique: Kernel Modules and Extensions tactic: - persistence - privilege-escalation platform: - macOS - Linux data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1547.006 is_subtechnique: true technique: Kernel Modules and Extensions tactic: - persistence - privilege-escalation platform: - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1547.005 is_subtechnique: true technique: Security Support Provider tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.005 is_subtechnique: true technique: Security Support Provider tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1547.005 is_subtechnique: true technique: Security Support Provider tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.005 is_subtechnique: true technique: Security Support Provider tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1547.005 is_subtechnique: true technique: Security Support Provider tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.005 is_subtechnique: true technique: Security Support Provider tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.005 is_subtechnique: true technique: Security Support Provider tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1547.005 is_subtechnique: true technique: Security Support Provider tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.005 is_subtechnique: true technique: Security Support Provider tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1547.005 is_subtechnique: true technique: Security Support Provider tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1547.005 is_subtechnique: true technique: Security Support Provider tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1547.005 is_subtechnique: true technique: Security Support Provider tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.005 is_subtechnique: true technique: Security Support Provider tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1547.005 is_subtechnique: true technique: Security Support Provider tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.005 is_subtechnique: true technique: Security Support Provider tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1547.005 is_subtechnique: true technique: Security Support Provider tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1547.005 is_subtechnique: true technique: Security Support Provider tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.005 is_subtechnique: true technique: Security Support Provider tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.005 is_subtechnique: true technique: Security Support Provider tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1547.005 is_subtechnique: true technique: Security Support Provider tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1547.005 is_subtechnique: true technique: Security Support Provider tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.005 is_subtechnique: true technique: Security Support Provider tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.005 is_subtechnique: true technique: Security Support Provider tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1547.005 is_subtechnique: true technique: Security Support Provider tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1547.004 is_subtechnique: true technique: Winlogon Helper DLL tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.004 is_subtechnique: true technique: Winlogon Helper DLL tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.004 is_subtechnique: true technique: Winlogon Helper DLL tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1547.004 is_subtechnique: true technique: Winlogon Helper DLL tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1547.004 is_subtechnique: true technique: Winlogon Helper DLL tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.004 is_subtechnique: true technique: Winlogon Helper DLL tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.004 is_subtechnique: true technique: Winlogon Helper DLL tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1547.004 is_subtechnique: true technique: Winlogon Helper DLL tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1547.004 is_subtechnique: true technique: Winlogon Helper DLL tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.004 is_subtechnique: true technique: Winlogon Helper DLL tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.004 is_subtechnique: true technique: Winlogon Helper DLL tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1547.004 is_subtechnique: true technique: Winlogon Helper DLL tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.004 is_subtechnique: true technique: Winlogon Helper DLL tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1547.004 is_subtechnique: true technique: Winlogon Helper DLL tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1547.004 is_subtechnique: true technique: Winlogon Helper DLL tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1547.004 is_subtechnique: true technique: Winlogon Helper DLL tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.004 is_subtechnique: true technique: Winlogon Helper DLL tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1547.004 is_subtechnique: true technique: Winlogon Helper DLL tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.004 is_subtechnique: true technique: Winlogon Helper DLL tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1547.004 is_subtechnique: true technique: Winlogon Helper DLL tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1547.004 is_subtechnique: true technique: Winlogon Helper DLL tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.004 is_subtechnique: true technique: Winlogon Helper DLL tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1547.004 is_subtechnique: true technique: Winlogon Helper DLL tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.004 is_subtechnique: true technique: Winlogon Helper DLL tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1547.003 is_subtechnique: true technique: Time Providers tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.013 is_subtechnique: true technique: PowerShell Profile tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.012 is_subtechnique: true technique: Image File Execution Options Injection tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.008 is_subtechnique: true technique: Odbcconf tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.008 is_subtechnique: true technique: Odbcconf tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1218.008 is_subtechnique: true technique: Odbcconf tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.008 is_subtechnique: true technique: Odbcconf tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1218.008 is_subtechnique: true technique: Odbcconf tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.008 is_subtechnique: true technique: Odbcconf tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.008 is_subtechnique: true technique: Odbcconf tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.008 is_subtechnique: true technique: Odbcconf tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.008 is_subtechnique: true technique: Odbcconf tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.008 is_subtechnique: true technique: Odbcconf tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.008 is_subtechnique: true technique: Odbcconf tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.008 is_subtechnique: true technique: Odbcconf tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.008 is_subtechnique: true technique: Odbcconf tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.008 is_subtechnique: true technique: Odbcconf tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.008 is_subtechnique: true technique: Odbcconf tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.008 is_subtechnique: true technique: Odbcconf tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.008 is_subtechnique: true technique: Odbcconf tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1218.008 is_subtechnique: true technique: Odbcconf tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.008 is_subtechnique: true technique: Odbcconf tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.008 is_subtechnique: true technique: Odbcconf tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1546.011 is_subtechnique: true technique: Application Shimming tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1547.002 is_subtechnique: true technique: Authentication Package tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.002 is_subtechnique: true technique: Authentication Package tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1547.002 is_subtechnique: true technique: Authentication Package tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.002 is_subtechnique: true technique: Authentication Package tactic: - persistence - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1547.002 is_subtechnique: true technique: Authentication Package tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.002 is_subtechnique: true technique: Authentication Package tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.002 is_subtechnique: true technique: Authentication Package tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1547.002 is_subtechnique: true technique: Authentication Package tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.002 is_subtechnique: true technique: Authentication Package tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1547.002 is_subtechnique: true technique: Authentication Package tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1547.002 is_subtechnique: true technique: Authentication Package tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1547.002 is_subtechnique: true technique: Authentication Package tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.002 is_subtechnique: true technique: Authentication Package tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1547.002 is_subtechnique: true technique: Authentication Package tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.002 is_subtechnique: true technique: Authentication Package tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1547.002 is_subtechnique: true technique: Authentication Package tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1547.002 is_subtechnique: true technique: Authentication Package tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.002 is_subtechnique: true technique: Authentication Package tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.002 is_subtechnique: true technique: Authentication Package tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1547.002 is_subtechnique: true technique: Authentication Package tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1547.002 is_subtechnique: true technique: Authentication Package tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.002 is_subtechnique: true technique: Authentication Package tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.002 is_subtechnique: true technique: Authentication Package tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1547.002 is_subtechnique: true technique: Authentication Package tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.010 is_subtechnique: true technique: AppInit DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1546.009 is_subtechnique: true technique: AppCert DLLs tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.007 is_subtechnique: true technique: Msiexec tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.008 is_subtechnique: true technique: Accessibility Features tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1546.007 is_subtechnique: true technique: Netsh Helper DLL tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1546.005 is_subtechnique: true technique: Trap tactic: - privilege-escalation - persistence platform: - macOS - Linux data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1546.005 is_subtechnique: true technique: Trap tactic: - privilege-escalation - persistence platform: - macOS - Linux data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1546.005 is_subtechnique: true technique: Trap tactic: - privilege-escalation - persistence platform: - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1546.005 is_subtechnique: true technique: Trap tactic: - privilege-escalation - persistence platform: - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1546.005 is_subtechnique: true technique: Trap tactic: - privilege-escalation - persistence platform: - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1546.004 is_subtechnique: true technique: Unix Shell Configuration Modification tactic: - privilege-escalation - persistence platform: - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1546.004 is_subtechnique: true technique: Unix Shell Configuration Modification tactic: - privilege-escalation - persistence platform: - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1546.004 is_subtechnique: true technique: Unix Shell Configuration Modification tactic: - privilege-escalation - persistence platform: - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1546.004 is_subtechnique: true technique: Unix Shell Configuration Modification tactic: - privilege-escalation - persistence platform: - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1546.004 is_subtechnique: true technique: Unix Shell Configuration Modification tactic: - privilege-escalation - persistence platform: - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: wmi data_component: wmi creation relationship_id: REL-2022-0080 name: User created Wmi object source: user relationship: created target: wmi object event_id: '19' event_name: WmiEvent (WmiEventFilter activity detected). event_platform: windows audit_category: WmiEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: wmi data_component: wmi creation relationship_id: REL-2022-0080 name: User created Wmi object source: user relationship: created target: wmi object event_id: '20' event_name: WmiEvent (WmiEventConsumer activity detected). event_platform: windows audit_category: WmiEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: wmi data_component: wmi creation relationship_id: REL-2022-0080 name: User created Wmi object source: user relationship: created target: wmi object event_id: '21' event_name: WmiEvent (WmiEventConsumerToFilter activity detected). event_platform: windows audit_category: WmiEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: wmi data_component: wmi creation relationship_id: REL-2022-0080 name: User created Wmi object source: user relationship: created target: wmi object event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: WmiBindEventFilterToConsumer - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: wmi data_component: wmi creation relationship_id: REL-2022-0080 name: User created Wmi object source: user relationship: created target: wmi object event_id: '5860' event_name: WMI temporary event created. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-WMI-Activity filter_in: .nan - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: wmi data_component: wmi creation relationship_id: REL-2022-0080 name: User created Wmi object source: user relationship: created target: wmi object event_id: '5861' event_name: WMI permanent event created. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-WMI-Activity filter_in: .nan - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: wmi data_component: wmi creation relationship_id: REL-2022-0080 name: User created Wmi object source: user relationship: created target: wmi object event_id: '5857' event_name: WMIProv provider started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-WMI-Activity filter_in: .nan - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: wmi data_component: wmi creation relationship_id: REL-2022-0080 name: User created Wmi object source: user relationship: created target: wmi object event_id: '5858' event_name: WMI Query Error. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-WMI-Activity filter_in: .nan - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: wmi data_component: wmi creation relationship_id: REL-2022-0080 name: User created Wmi object source: user relationship: created target: wmi object event_id: '5859' event_name: WMI Event. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-WMI-Activity filter_in: .nan - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1546.003 is_subtechnique: true technique: Windows Management Instrumentation Event Subscription tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.002 is_subtechnique: true technique: Screensaver tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1546.001 is_subtechnique: true technique: Change Default File Association tactic: - privilege-escalation - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: New registry value created - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1547.001 is_subtechnique: true technique: Registry Run Keys / Startup Folder tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.002 is_subtechnique: true technique: Control Panel tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.010 is_subtechnique: true technique: Regsvr32 tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.009 is_subtechnique: true technique: Regsvcs/Regasm tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.009 is_subtechnique: true technique: Regsvcs/Regasm tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.009 is_subtechnique: true technique: Regsvcs/Regasm tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.009 is_subtechnique: true technique: Regsvcs/Regasm tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.009 is_subtechnique: true technique: Regsvcs/Regasm tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1218.009 is_subtechnique: true technique: Regsvcs/Regasm tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.009 is_subtechnique: true technique: Regsvcs/Regasm tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.009 is_subtechnique: true technique: Regsvcs/Regasm tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.009 is_subtechnique: true technique: Regsvcs/Regasm tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.009 is_subtechnique: true technique: Regsvcs/Regasm tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.009 is_subtechnique: true technique: Regsvcs/Regasm tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.009 is_subtechnique: true technique: Regsvcs/Regasm tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.009 is_subtechnique: true technique: Regsvcs/Regasm tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.009 is_subtechnique: true technique: Regsvcs/Regasm tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.009 is_subtechnique: true technique: Regsvcs/Regasm tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.009 is_subtechnique: true technique: Regsvcs/Regasm tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.005 is_subtechnique: true technique: Mshta tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.004 is_subtechnique: true technique: InstallUtil tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.004 is_subtechnique: true technique: InstallUtil tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.004 is_subtechnique: true technique: InstallUtil tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.004 is_subtechnique: true technique: InstallUtil tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.004 is_subtechnique: true technique: InstallUtil tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1218.004 is_subtechnique: true technique: InstallUtil tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.004 is_subtechnique: true technique: InstallUtil tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.004 is_subtechnique: true technique: InstallUtil tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.004 is_subtechnique: true technique: InstallUtil tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.004 is_subtechnique: true technique: InstallUtil tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.004 is_subtechnique: true technique: InstallUtil tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.004 is_subtechnique: true technique: InstallUtil tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.004 is_subtechnique: true technique: InstallUtil tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.004 is_subtechnique: true technique: InstallUtil tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.004 is_subtechnique: true technique: InstallUtil tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.004 is_subtechnique: true technique: InstallUtil tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.001 is_subtechnique: true technique: Compiled HTML File tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1218.001 is_subtechnique: true technique: Compiled HTML File tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.001 is_subtechnique: true technique: Compiled HTML File tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.001 is_subtechnique: true technique: Compiled HTML File tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1218.001 is_subtechnique: true technique: Compiled HTML File tactic: - defense-evasion platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.001 is_subtechnique: true technique: Compiled HTML File tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.001 is_subtechnique: true technique: Compiled HTML File tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.001 is_subtechnique: true technique: Compiled HTML File tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.001 is_subtechnique: true technique: Compiled HTML File tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.001 is_subtechnique: true technique: Compiled HTML File tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.001 is_subtechnique: true technique: Compiled HTML File tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.001 is_subtechnique: true technique: Compiled HTML File tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.001 is_subtechnique: true technique: Compiled HTML File tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.001 is_subtechnique: true technique: Compiled HTML File tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.001 is_subtechnique: true technique: Compiled HTML File tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.001 is_subtechnique: true technique: Compiled HTML File tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.001 is_subtechnique: true technique: Compiled HTML File tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.001 is_subtechnique: true technique: Compiled HTML File tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1218.001 is_subtechnique: true technique: Compiled HTML File tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.001 is_subtechnique: true technique: Compiled HTML File tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.001 is_subtechnique: true technique: Compiled HTML File tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.003 is_subtechnique: true technique: CMSTP tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.011 is_subtechnique: true technique: Rundll32 tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.011 is_subtechnique: true technique: Rundll32 tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1218.011 is_subtechnique: true technique: Rundll32 tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.011 is_subtechnique: true technique: Rundll32 tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1218.011 is_subtechnique: true technique: Rundll32 tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.011 is_subtechnique: true technique: Rundll32 tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.011 is_subtechnique: true technique: Rundll32 tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.011 is_subtechnique: true technique: Rundll32 tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.011 is_subtechnique: true technique: Rundll32 tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1218.011 is_subtechnique: true technique: Rundll32 tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.011 is_subtechnique: true technique: Rundll32 tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.011 is_subtechnique: true technique: Rundll32 tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.011 is_subtechnique: true technique: Rundll32 tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.011 is_subtechnique: true technique: Rundll32 tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.011 is_subtechnique: true technique: Rundll32 tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.011 is_subtechnique: true technique: Rundll32 tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218.011 is_subtechnique: true technique: Rundll32 tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218.011 is_subtechnique: true technique: Rundll32 tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218.011 is_subtechnique: true technique: Rundll32 tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218.011 is_subtechnique: true technique: Rundll32 tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: New registry value created - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: driver data_component: driver load relationship_id: REL-2022-0126 name: Driver loaded source: driver relationship: loaded target: null event_id: '6' event_name: Driver loaded. event_platform: windows audit_category: DriverLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: driver data_component: driver load relationship_id: REL-2022-0126 name: Driver loaded source: driver relationship: loaded target: null event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: DriverLoaded - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1547 is_subtechnique: false technique: Boot or Logon Autostart Execution tactic: - persistence - privilege-escalation platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: wmi data_component: wmi creation relationship_id: REL-2022-0080 name: User created Wmi object source: user relationship: created target: wmi object event_id: '19' event_name: WmiEvent (WmiEventFilter activity detected). event_platform: windows audit_category: WmiEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: wmi data_component: wmi creation relationship_id: REL-2022-0080 name: User created Wmi object source: user relationship: created target: wmi object event_id: '20' event_name: WmiEvent (WmiEventConsumer activity detected). event_platform: windows audit_category: WmiEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: wmi data_component: wmi creation relationship_id: REL-2022-0080 name: User created Wmi object source: user relationship: created target: wmi object event_id: '21' event_name: WmiEvent (WmiEventConsumerToFilter activity detected). event_platform: windows audit_category: WmiEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: wmi data_component: wmi creation relationship_id: REL-2022-0080 name: User created Wmi object source: user relationship: created target: wmi object event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: WmiBindEventFilterToConsumer - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: wmi data_component: wmi creation relationship_id: REL-2022-0080 name: User created Wmi object source: user relationship: created target: wmi object event_id: '5860' event_name: WMI temporary event created. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-WMI-Activity filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: wmi data_component: wmi creation relationship_id: REL-2022-0080 name: User created Wmi object source: user relationship: created target: wmi object event_id: '5861' event_name: WMI permanent event created. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-WMI-Activity filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: wmi data_component: wmi creation relationship_id: REL-2022-0080 name: User created Wmi object source: user relationship: created target: wmi object event_id: '5857' event_name: WMIProv provider started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-WMI-Activity filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: wmi data_component: wmi creation relationship_id: REL-2022-0080 name: User created Wmi object source: user relationship: created target: wmi object event_id: '5858' event_name: WMI Query Error. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-WMI-Activity filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: wmi data_component: wmi creation relationship_id: REL-2022-0080 name: User created Wmi object source: user relationship: created target: wmi object event_id: '5859' event_name: WMI Event. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-WMI-Activity filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1546 is_subtechnique: .nan technique: Event Triggered Execution tactic: - privilege-escalation - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1098.002 is_subtechnique: true technique: Additional Email Delegate Permissions tactic: - persistence platform: - Windows - Office 365 - Google Workspace data_source: user account data_component: user account modification relationship_id: REL-2022-0003 name: User modified User source: user relationship: modified target: user event_id: '4738' event_name: A user account was changed. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.002 is_subtechnique: true technique: Additional Email Delegate Permissions tactic: - persistence platform: - Windows - Office 365 - Google Workspace data_source: user account data_component: user account modification relationship_id: REL-2022-0003 name: User modified User source: user relationship: modified target: user event_id: '4781' event_name: The name of an account was changed. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.002 is_subtechnique: true technique: Additional Email Delegate Permissions tactic: - persistence platform: - Windows - Office 365 - Google Workspace data_source: user account data_component: user account modification relationship_id: REL-2022-0003 name: User modified User source: user relationship: modified target: user event_id: '4742' event_name: A computer account was changed. event_platform: windows audit_category: Account Management audit_sub_category: Computer Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.002 is_subtechnique: true technique: Additional Email Delegate Permissions tactic: - persistence platform: - Windows - Office 365 - Google Workspace data_source: user account data_component: user account modification relationship_id: REL-2022-0003 name: User modified User source: user relationship: modified target: user event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: UserAccountModified - technique_id: T1098.002 is_subtechnique: true technique: Additional Email Delegate Permissions tactic: - persistence platform: - Windows - Office 365 - Google Workspace data_source: user account data_component: user account modification relationship_id: REL-2022-0009 name: User locked User source: user relationship: locked target: user event_id: '4740' event_name: A user account was locked out. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.002 is_subtechnique: true technique: Additional Email Delegate Permissions tactic: - persistence platform: - Windows - Office 365 - Google Workspace data_source: user account data_component: user account modification relationship_id: REL-2022-0019 name: User unlocked User source: user relationship: unlocked target: user event_id: '4767' event_name: A user account was unlocked. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.002 is_subtechnique: true technique: Additional Email Delegate Permissions tactic: - persistence platform: - Windows - Office 365 - Google Workspace data_source: user account data_component: user account modification relationship_id: REL-2022-0024 name: User enabled User source: user relationship: enabled target: user event_id: '4722' event_name: A user account was enabled. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.002 is_subtechnique: true technique: Additional Email Delegate Permissions tactic: - persistence platform: - Windows - Office 365 - Google Workspace data_source: user account data_component: user account modification relationship_id: REL-2022-0024 name: User enabled User source: user relationship: enabled target: user event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: UserAccountModified - technique_id: T1098.002 is_subtechnique: true technique: Additional Email Delegate Permissions tactic: - persistence platform: - Windows - Office 365 - Google Workspace data_source: user account data_component: user account modification relationship_id: REL-2022-0042 name: User granted acess to User source: user relationship: granted access to target: user event_id: '4717' event_name: System security access was granted to an account. event_platform: windows audit_category: Policy Change audit_sub_category: Authentication Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.002 is_subtechnique: true technique: Additional Email Delegate Permissions tactic: - persistence platform: - Windows - Office 365 - Google Workspace data_source: user account data_component: user account modification relationship_id: REL-2022-0083 name: User removed acess from User source: user relationship: removed access from target: user event_id: '4718' event_name: System security access was removed from an account. event_platform: windows audit_category: Policy Change audit_sub_category: Authentication Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.002 is_subtechnique: true technique: Additional Email Delegate Permissions tactic: - persistence platform: - Windows - Office 365 - Google Workspace data_source: user account data_component: user account modification relationship_id: REL-2022-0109 name: User disabled User source: user relationship: disabled target: user event_id: '4725' event_name: A user account was disabled. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.002 is_subtechnique: true technique: Additional Email Delegate Permissions tactic: - persistence platform: - Windows - Office 365 - Google Workspace data_source: user account data_component: user account modification relationship_id: REL-2022-0109 name: User disabled User source: user relationship: disabled target: user event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: UserAccountModified - technique_id: T1098.002 is_subtechnique: true technique: Additional Email Delegate Permissions tactic: - persistence platform: - Windows - Office 365 - Google Workspace data_source: user account data_component: user account modification relationship_id: REL-2022-0133 name: User attempted to modify User source: user relationship: attempted to modify target: user event_id: '4723' event_name: An attempt was made to change an account's password. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.002 is_subtechnique: true technique: Additional Email Delegate Permissions tactic: - persistence platform: - Windows - Office 365 - Google Workspace data_source: user account data_component: user account modification relationship_id: REL-2022-0133 name: User attempted to modify User source: user relationship: attempted to modify target: user event_id: '4724' event_name: An attempt was made to reset an account's password. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.002 is_subtechnique: true technique: Additional Email Delegate Permissions tactic: - persistence platform: - Windows - Office 365 - Google Workspace data_source: group data_component: group modification relationship_id: REL-2022-0185 name: User modified Group source: user relationship: modified target: group event_id: '4728' event_name: A member was added to a security-enabled global group. event_platform: windows audit_category: Account Management audit_sub_category: Security Group Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.002 is_subtechnique: true technique: Additional Email Delegate Permissions tactic: - persistence platform: - Windows - Office 365 - Google Workspace data_source: group data_component: group modification relationship_id: REL-2022-0185 name: User modified Group source: user relationship: modified target: group event_id: '4729' event_name: A member was removed from a security-enabled global group. event_platform: windows audit_category: Account Management audit_sub_category: Security Group Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.002 is_subtechnique: true technique: Additional Email Delegate Permissions tactic: - persistence platform: - Windows - Office 365 - Google Workspace data_source: group data_component: group modification relationship_id: REL-2022-0185 name: User modified Group source: user relationship: modified target: group event_id: '4732' event_name: A member was added to a security-enabled local group. event_platform: windows audit_category: Account Management audit_sub_category: Security Group Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.002 is_subtechnique: true technique: Additional Email Delegate Permissions tactic: - persistence platform: - Windows - Office 365 - Google Workspace data_source: group data_component: group modification relationship_id: REL-2022-0185 name: User modified Group source: user relationship: modified target: group event_id: '4733' event_name: A member was removed from a security-enabled local group. event_platform: windows audit_category: Account Management audit_sub_category: Security Group Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.002 is_subtechnique: true technique: Additional Email Delegate Permissions tactic: - persistence platform: - Windows - Office 365 - Google Workspace data_source: group data_component: group modification relationship_id: REL-2022-0185 name: User modified Group source: user relationship: modified target: group event_id: '4735' event_name: A security-enabled local group was changed. event_platform: windows audit_category: Account Management audit_sub_category: Security Group Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.002 is_subtechnique: true technique: Additional Email Delegate Permissions tactic: - persistence platform: - Windows - Office 365 - Google Workspace data_source: group data_component: group modification relationship_id: REL-2022-0185 name: User modified Group source: user relationship: modified target: group event_id: '4737' event_name: A security-enabled global group was changed. event_platform: windows audit_category: Account Management audit_sub_category: Security Group Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.002 is_subtechnique: true technique: Additional Email Delegate Permissions tactic: - persistence platform: - Windows - Office 365 - Google Workspace data_source: group data_component: group modification relationship_id: REL-2022-0185 name: User modified Group source: user relationship: modified target: group event_id: '4755' event_name: A security-enabled universal group was changed. event_platform: windows audit_category: Account Management audit_sub_category: Security Group Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.002 is_subtechnique: true technique: Additional Email Delegate Permissions tactic: - persistence platform: - Windows - Office 365 - Google Workspace data_source: group data_component: group modification relationship_id: REL-2022-0185 name: User modified Group source: user relationship: modified target: group event_id: '4756' event_name: A member was added to a security-enabled universal group. event_platform: windows audit_category: Account Management audit_sub_category: Security Group Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.002 is_subtechnique: true technique: Additional Email Delegate Permissions tactic: - persistence platform: - Windows - Office 365 - Google Workspace data_source: group data_component: group modification relationship_id: REL-2022-0185 name: User modified Group source: user relationship: modified target: group event_id: '4757' event_name: A member was removed from a security-enabled universal group. event_platform: windows audit_category: Account Management audit_sub_category: Security Group Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098.002 is_subtechnique: true technique: Additional Email Delegate Permissions tactic: - persistence platform: - Windows - Office 365 - Google Workspace data_source: group data_component: group modification relationship_id: REL-2022-0185 name: User modified Group source: user relationship: modified target: group event_id: '4764' event_name: A groups type was changed. event_platform: windows audit_category: Account Management audit_sub_category: Security Group Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: driver data_component: driver load relationship_id: REL-2022-0126 name: Driver loaded source: driver relationship: loaded target: null event_id: '6' event_name: Driver loaded. event_platform: windows audit_category: DriverLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: driver data_component: driver load relationship_id: REL-2022-0126 name: Driver loaded source: driver relationship: loaded target: null event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: DriverLoaded - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: New registry value created - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: '4697' event_name: A service was installed in the system. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: '7045' event_name: A new service was installed in the system. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: Service Control Manager filter_in: .nan - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ServiceInstalled - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1543.003 is_subtechnique: true technique: Windows Service tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1543.002 is_subtechnique: true technique: Systemd Service tactic: - persistence - privilege-escalation platform: - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1543.002 is_subtechnique: true technique: Systemd Service tactic: - persistence - privilege-escalation platform: - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1543.002 is_subtechnique: true technique: Systemd Service tactic: - persistence - privilege-escalation platform: - Linux data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1543.002 is_subtechnique: true technique: Systemd Service tactic: - persistence - privilege-escalation platform: - Linux data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1543.002 is_subtechnique: true technique: Systemd Service tactic: - persistence - privilege-escalation platform: - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1037.004 is_subtechnique: true technique: RC Scripts tactic: - persistence - privilege-escalation platform: - macOS - Linux data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1037.004 is_subtechnique: true technique: RC Scripts tactic: - persistence - privilege-escalation platform: - macOS - Linux data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1037.004 is_subtechnique: true technique: RC Scripts tactic: - persistence - privilege-escalation platform: - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1037.004 is_subtechnique: true technique: RC Scripts tactic: - persistence - privilege-escalation platform: - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1037.004 is_subtechnique: true technique: RC Scripts tactic: - persistence - privilege-escalation platform: - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1055.012 is_subtechnique: true technique: Process Hollowing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1055.012 is_subtechnique: true technique: Process Hollowing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1055.012 is_subtechnique: true technique: Process Hollowing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1055.012 is_subtechnique: true technique: Process Hollowing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '10' event_name: Process Access. event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.012 is_subtechnique: true technique: Process Hollowing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1055.012 is_subtechnique: true technique: Process Hollowing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '10' event_name: ProcessAccess event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.012 is_subtechnique: true technique: Process Hollowing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1055.012 is_subtechnique: true technique: Process Hollowing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1055.012 is_subtechnique: true technique: Process Hollowing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.012 is_subtechnique: true technique: Process Hollowing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1055.012 is_subtechnique: true technique: Process Hollowing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process modification relationship_id: REL-2022-0143 name: Process modified Process source: process relationship: modified target: process event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.012 is_subtechnique: true technique: Process Hollowing tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process modification relationship_id: REL-2022-0143 name: Process modified Process source: process relationship: modified target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1055.013 is_subtechnique: true technique: "Process Doppelg\xE4nging" tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.013 is_subtechnique: true technique: "Process Doppelg\xE4nging" tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1055.011 is_subtechnique: true technique: Extra Window Memory Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.011 is_subtechnique: true technique: Extra Window Memory Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1055.005 is_subtechnique: true technique: Thread Local Storage tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process modification relationship_id: REL-2022-0143 name: Process modified Process source: process relationship: modified target: process event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.005 is_subtechnique: true technique: Thread Local Storage tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process modification relationship_id: REL-2022-0143 name: Process modified Process source: process relationship: modified target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1055.005 is_subtechnique: true technique: Thread Local Storage tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1055.005 is_subtechnique: true technique: Thread Local Storage tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1055.005 is_subtechnique: true technique: Thread Local Storage tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1055.005 is_subtechnique: true technique: Thread Local Storage tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '10' event_name: Process Access. event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.005 is_subtechnique: true technique: Thread Local Storage tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1055.005 is_subtechnique: true technique: Thread Local Storage tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '10' event_name: ProcessAccess event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.005 is_subtechnique: true technique: Thread Local Storage tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1055.005 is_subtechnique: true technique: Thread Local Storage tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1055.005 is_subtechnique: true technique: Thread Local Storage tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.005 is_subtechnique: true technique: Thread Local Storage tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1055.004 is_subtechnique: true technique: Asynchronous Procedure Call tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process modification relationship_id: REL-2022-0143 name: Process modified Process source: process relationship: modified target: process event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.004 is_subtechnique: true technique: Asynchronous Procedure Call tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process modification relationship_id: REL-2022-0143 name: Process modified Process source: process relationship: modified target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1055.004 is_subtechnique: true technique: Asynchronous Procedure Call tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.004 is_subtechnique: true technique: Asynchronous Procedure Call tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1055.004 is_subtechnique: true technique: Asynchronous Procedure Call tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1055.004 is_subtechnique: true technique: Asynchronous Procedure Call tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1055.004 is_subtechnique: true technique: Asynchronous Procedure Call tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1055.004 is_subtechnique: true technique: Asynchronous Procedure Call tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '10' event_name: Process Access. event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.004 is_subtechnique: true technique: Asynchronous Procedure Call tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1055.004 is_subtechnique: true technique: Asynchronous Procedure Call tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '10' event_name: ProcessAccess event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.004 is_subtechnique: true technique: Asynchronous Procedure Call tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1055.004 is_subtechnique: true technique: Asynchronous Procedure Call tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1055.003 is_subtechnique: true technique: Thread Execution Hijacking tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.003 is_subtechnique: true technique: Thread Execution Hijacking tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1055.003 is_subtechnique: true technique: Thread Execution Hijacking tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process modification relationship_id: REL-2022-0143 name: Process modified Process source: process relationship: modified target: process event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.003 is_subtechnique: true technique: Thread Execution Hijacking tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process modification relationship_id: REL-2022-0143 name: Process modified Process source: process relationship: modified target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1055.003 is_subtechnique: true technique: Thread Execution Hijacking tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1055.003 is_subtechnique: true technique: Thread Execution Hijacking tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1055.003 is_subtechnique: true technique: Thread Execution Hijacking tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1055.003 is_subtechnique: true technique: Thread Execution Hijacking tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '10' event_name: Process Access. event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.003 is_subtechnique: true technique: Thread Execution Hijacking tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1055.003 is_subtechnique: true technique: Thread Execution Hijacking tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '10' event_name: ProcessAccess event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.003 is_subtechnique: true technique: Thread Execution Hijacking tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1055.003 is_subtechnique: true technique: Thread Execution Hijacking tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1055.002 is_subtechnique: true technique: Portable Executable Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.002 is_subtechnique: true technique: Portable Executable Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1055.002 is_subtechnique: true technique: Portable Executable Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1055.002 is_subtechnique: true technique: Portable Executable Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1055.002 is_subtechnique: true technique: Portable Executable Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1055.002 is_subtechnique: true technique: Portable Executable Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '10' event_name: Process Access. event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.002 is_subtechnique: true technique: Portable Executable Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1055.002 is_subtechnique: true technique: Portable Executable Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '10' event_name: ProcessAccess event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.002 is_subtechnique: true technique: Portable Executable Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1055.002 is_subtechnique: true technique: Portable Executable Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1055.002 is_subtechnique: true technique: Portable Executable Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process modification relationship_id: REL-2022-0143 name: Process modified Process source: process relationship: modified target: process event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.002 is_subtechnique: true technique: Portable Executable Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process modification relationship_id: REL-2022-0143 name: Process modified Process source: process relationship: modified target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1055.001 is_subtechnique: true technique: Dynamic-link Library Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1055.001 is_subtechnique: true technique: Dynamic-link Library Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1055.001 is_subtechnique: true technique: Dynamic-link Library Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1055.001 is_subtechnique: true technique: Dynamic-link Library Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '10' event_name: Process Access. event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.001 is_subtechnique: true technique: Dynamic-link Library Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1055.001 is_subtechnique: true technique: Dynamic-link Library Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '10' event_name: ProcessAccess event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.001 is_subtechnique: true technique: Dynamic-link Library Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1055.001 is_subtechnique: true technique: Dynamic-link Library Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1055.001 is_subtechnique: true technique: Dynamic-link Library Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.001 is_subtechnique: true technique: Dynamic-link Library Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1055.001 is_subtechnique: true technique: Dynamic-link Library Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process modification relationship_id: REL-2022-0143 name: Process modified Process source: process relationship: modified target: process event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.001 is_subtechnique: true technique: Dynamic-link Library Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process modification relationship_id: REL-2022-0143 name: Process modified Process source: process relationship: modified target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1055.001 is_subtechnique: true technique: Dynamic-link Library Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.001 is_subtechnique: true technique: Dynamic-link Library Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1055.001 is_subtechnique: true technique: Dynamic-link Library Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055.001 is_subtechnique: true technique: Dynamic-link Library Injection tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5136' event_name: A directory service object was modified. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5139' event_name: A directory service object was moved. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '4719' event_name: System audit policy was changed. event_platform: windows audit_category: Policy Change audit_sub_category: Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1037.003 is_subtechnique: true technique: Network Logon Script tactic: - persistence - privilege-escalation platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: driver data_component: driver load relationship_id: REL-2022-0126 name: Driver loaded source: driver relationship: loaded target: null event_id: '6' event_name: Driver loaded. event_platform: windows audit_category: DriverLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: driver data_component: driver load relationship_id: REL-2022-0126 name: Driver loaded source: driver relationship: loaded target: null event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: DriverLoaded - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: New registry value created - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: '4697' event_name: A service was installed in the system. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: '7045' event_name: A new service was installed in the system. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: Service Control Manager filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ServiceInstalled - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1543 is_subtechnique: false technique: Create or Modify System Process tactic: - persistence - privilege-escalation platform: - Windows - macOS - Linux data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1037.001 is_subtechnique: true technique: Logon Script (Windows) tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037.001 is_subtechnique: true technique: Logon Script (Windows) tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1037.001 is_subtechnique: true technique: Logon Script (Windows) tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1037.001 is_subtechnique: true technique: Logon Script (Windows) tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1037.001 is_subtechnique: true technique: Logon Script (Windows) tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1037.001 is_subtechnique: true technique: Logon Script (Windows) tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037.001 is_subtechnique: true technique: Logon Script (Windows) tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1037.001 is_subtechnique: true technique: Logon Script (Windows) tactic: - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1037.001 is_subtechnique: true technique: Logon Script (Windows) tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037.001 is_subtechnique: true technique: Logon Script (Windows) tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1037.001 is_subtechnique: true technique: Logon Script (Windows) tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1037.001 is_subtechnique: true technique: Logon Script (Windows) tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1037.001 is_subtechnique: true technique: Logon Script (Windows) tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037.001 is_subtechnique: true technique: Logon Script (Windows) tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1037.001 is_subtechnique: true technique: Logon Script (Windows) tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1037.001 is_subtechnique: true technique: Logon Script (Windows) tactic: - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1037.001 is_subtechnique: true technique: Logon Script (Windows) tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1037.001 is_subtechnique: true technique: Logon Script (Windows) tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1037.001 is_subtechnique: true technique: Logon Script (Windows) tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1037.001 is_subtechnique: true technique: Logon Script (Windows) tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037.001 is_subtechnique: true technique: Logon Script (Windows) tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1037.001 is_subtechnique: true technique: Logon Script (Windows) tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1037.001 is_subtechnique: true technique: Logon Script (Windows) tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1037.001 is_subtechnique: true technique: Logon Script (Windows) tactic: - persistence - privilege-escalation platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: New registry value created - technique_id: T1542.003 is_subtechnique: true technique: Bootkit tactic: - persistence - defense-evasion platform: - Linux - Windows data_source: drive data_component: drive modification relationship_id: REL-2022-0044 name: User enabled Drive source: user relationship: enabled target: drive event_id: '6422' event_name: A device was enabled. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542.003 is_subtechnique: true technique: Bootkit tactic: - persistence - defense-evasion platform: - Linux - Windows data_source: drive data_component: drive modification relationship_id: REL-2022-0053 name: User attempted to disable Drive source: user relationship: attempted to disable target: drive event_id: '6419' event_name: A request was made to disable a device. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542.003 is_subtechnique: true technique: Bootkit tactic: - persistence - defense-evasion platform: - Linux - Windows data_source: drive data_component: drive modification relationship_id: REL-2022-0064 name: User disabled Drive source: user relationship: disabled target: drive event_id: '6420' event_name: A device was disabled. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542.003 is_subtechnique: true technique: Bootkit tactic: - persistence - defense-evasion platform: - Linux - Windows data_source: drive data_component: drive modification relationship_id: REL-2022-0067 name: User attempted to enable Drive source: user relationship: attempted to enable target: drive event_id: '6421' event_name: A request was made to enable a device. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542.002 is_subtechnique: true technique: Component Firmware tactic: - persistence - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1542.002 is_subtechnique: true technique: Component Firmware tactic: - persistence - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1505.003 is_subtechnique: true technique: Web Shell tactic: - persistence platform: - Linux - Windows - macOS data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505.003 is_subtechnique: true technique: Web Shell tactic: - persistence platform: - Linux - Windows - macOS data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1505.003 is_subtechnique: true technique: Web Shell tactic: - persistence platform: - Linux - Windows - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505.003 is_subtechnique: true technique: Web Shell tactic: - persistence platform: - Linux - Windows - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505.003 is_subtechnique: true technique: Web Shell tactic: - persistence platform: - Linux - Windows - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505.003 is_subtechnique: true technique: Web Shell tactic: - persistence platform: - Linux - Windows - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1505.003 is_subtechnique: true technique: Web Shell tactic: - persistence platform: - Linux - Windows - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1505.003 is_subtechnique: true technique: Web Shell tactic: - persistence platform: - Linux - Windows - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1505.003 is_subtechnique: true technique: Web Shell tactic: - persistence platform: - Linux - Windows - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1505.003 is_subtechnique: true technique: Web Shell tactic: - persistence platform: - Linux - Windows - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505.003 is_subtechnique: true technique: Web Shell tactic: - persistence platform: - Linux - Windows - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505.003 is_subtechnique: true technique: Web Shell tactic: - persistence platform: - Linux - Windows - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1505.003 is_subtechnique: true technique: Web Shell tactic: - persistence platform: - Linux - Windows - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1505.003 is_subtechnique: true technique: Web Shell tactic: - persistence platform: - Linux - Windows - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505.003 is_subtechnique: true technique: Web Shell tactic: - persistence platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505.003 is_subtechnique: true technique: Web Shell tactic: - persistence platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505.003 is_subtechnique: true technique: Web Shell tactic: - persistence platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1505.003 is_subtechnique: true technique: Web Shell tactic: - persistence platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1505.003 is_subtechnique: true technique: Web Shell tactic: - persistence platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505.003 is_subtechnique: true technique: Web Shell tactic: - persistence platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1505.003 is_subtechnique: true technique: Web Shell tactic: - persistence platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505.003 is_subtechnique: true technique: Web Shell tactic: - persistence platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505.003 is_subtechnique: true technique: Web Shell tactic: - persistence platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1505.003 is_subtechnique: true technique: Web Shell tactic: - persistence platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1505.002 is_subtechnique: true technique: Transport Agent tactic: - persistence platform: - Linux - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1505.002 is_subtechnique: true technique: Transport Agent tactic: - persistence platform: - Linux - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1505.002 is_subtechnique: true technique: Transport Agent tactic: - persistence platform: - Linux - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505.002 is_subtechnique: true technique: Transport Agent tactic: - persistence platform: - Linux - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505.002 is_subtechnique: true technique: Transport Agent tactic: - persistence platform: - Linux - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1505.002 is_subtechnique: true technique: Transport Agent tactic: - persistence platform: - Linux - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1505.002 is_subtechnique: true technique: Transport Agent tactic: - persistence platform: - Linux - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1053.003 is_subtechnique: true technique: Cron tactic: - execution - persistence - privilege-escalation platform: - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1053.003 is_subtechnique: true technique: Cron tactic: - execution - persistence - privilege-escalation platform: - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1053.003 is_subtechnique: true technique: Cron tactic: - execution - persistence - privilege-escalation platform: - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: scheduled job data_component: scheduled job creation relationship_id: REL-2022-0030 name: User created Scheduled job source: user relationship: created target: scheduled job event_id: '4698' event_name: A scheduled task was created. event_platform: windows audit_category: Object Access audit_sub_category: Other Object Access Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: scheduled job data_component: scheduled job creation relationship_id: REL-2022-0030 name: User created Scheduled job source: user relationship: created target: scheduled job event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScheduledTaskCreated - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1053.005 is_subtechnique: true technique: Scheduled Task tactic: - execution - persistence - privilege-escalation platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: scheduled job data_component: scheduled job creation relationship_id: REL-2022-0030 name: User created Scheduled job source: user relationship: created target: scheduled job event_id: '4698' event_name: A scheduled task was created. event_platform: windows audit_category: Object Access audit_sub_category: Other Object Access Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: scheduled job data_component: scheduled job creation relationship_id: REL-2022-0030 name: User created Scheduled job source: user relationship: created target: scheduled job event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScheduledTaskCreated - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1053.002 is_subtechnique: true technique: At tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: drive data_component: drive modification relationship_id: REL-2022-0044 name: User enabled Drive source: user relationship: enabled target: drive event_id: '6422' event_name: A device was enabled. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: drive data_component: drive modification relationship_id: REL-2022-0053 name: User attempted to disable Drive source: user relationship: attempted to disable target: drive event_id: '6419' event_name: A request was made to disable a device. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: drive data_component: drive modification relationship_id: REL-2022-0064 name: User disabled Drive source: user relationship: disabled target: drive event_id: '6420' event_name: A device was disabled. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: drive data_component: drive modification relationship_id: REL-2022-0067 name: User attempted to enable Drive source: user relationship: attempted to enable target: drive event_id: '6421' event_name: A request was made to enable a device. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1542 is_subtechnique: false technique: Pre-OS Boot tactic: - defense-evasion - persistence platform: - Linux - Windows - Network - macOS data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: New registry value created - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1137.001 is_subtechnique: true technique: Office Template Macros tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1137.004 is_subtechnique: true technique: Outlook Home Page tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.004 is_subtechnique: true technique: Outlook Home Page tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.004 is_subtechnique: true technique: Outlook Home Page tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1137.004 is_subtechnique: true technique: Outlook Home Page tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137.004 is_subtechnique: true technique: Outlook Home Page tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.004 is_subtechnique: true technique: Outlook Home Page tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.004 is_subtechnique: true technique: Outlook Home Page tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1137.004 is_subtechnique: true technique: Outlook Home Page tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137.004 is_subtechnique: true technique: Outlook Home Page tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.004 is_subtechnique: true technique: Outlook Home Page tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.004 is_subtechnique: true technique: Outlook Home Page tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137.004 is_subtechnique: true technique: Outlook Home Page tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.004 is_subtechnique: true technique: Outlook Home Page tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1137.004 is_subtechnique: true technique: Outlook Home Page tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.004 is_subtechnique: true technique: Outlook Home Page tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.004 is_subtechnique: true technique: Outlook Home Page tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137.003 is_subtechnique: true technique: Outlook Forms tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.003 is_subtechnique: true technique: Outlook Forms tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.003 is_subtechnique: true technique: Outlook Forms tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137.003 is_subtechnique: true technique: Outlook Forms tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.003 is_subtechnique: true technique: Outlook Forms tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1137.003 is_subtechnique: true technique: Outlook Forms tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.003 is_subtechnique: true technique: Outlook Forms tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.003 is_subtechnique: true technique: Outlook Forms tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137.003 is_subtechnique: true technique: Outlook Forms tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.003 is_subtechnique: true technique: Outlook Forms tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.003 is_subtechnique: true technique: Outlook Forms tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1137.003 is_subtechnique: true technique: Outlook Forms tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137.003 is_subtechnique: true technique: Outlook Forms tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.003 is_subtechnique: true technique: Outlook Forms tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.003 is_subtechnique: true technique: Outlook Forms tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1137.003 is_subtechnique: true technique: Outlook Forms tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137.005 is_subtechnique: true technique: Outlook Rules tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.005 is_subtechnique: true technique: Outlook Rules tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.005 is_subtechnique: true technique: Outlook Rules tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1137.005 is_subtechnique: true technique: Outlook Rules tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137.005 is_subtechnique: true technique: Outlook Rules tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.005 is_subtechnique: true technique: Outlook Rules tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.005 is_subtechnique: true technique: Outlook Rules tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1137.005 is_subtechnique: true technique: Outlook Rules tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137.005 is_subtechnique: true technique: Outlook Rules tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.005 is_subtechnique: true technique: Outlook Rules tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.005 is_subtechnique: true technique: Outlook Rules tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137.005 is_subtechnique: true technique: Outlook Rules tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.005 is_subtechnique: true technique: Outlook Rules tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1137.005 is_subtechnique: true technique: Outlook Rules tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.005 is_subtechnique: true technique: Outlook Rules tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.005 is_subtechnique: true technique: Outlook Rules tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: New registry value created - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.006 is_subtechnique: true technique: Add-ins tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: New registry value created - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1137.002 is_subtechnique: true technique: Office Test tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1531 is_subtechnique: false technique: Account Access Removal tactic: - impact platform: - Linux - macOS - Windows - Office 365 - SaaS data_source: user account data_component: user account deletion relationship_id: REL-2022-0176 name: User deleted User source: user relationship: deleted target: user event_id: '4726' event_name: A user account was deleted. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1531 is_subtechnique: false technique: Account Access Removal tactic: - impact platform: - Linux - macOS - Windows - Office 365 - SaaS data_source: user account data_component: user account deletion relationship_id: REL-2022-0176 name: User deleted User source: user relationship: deleted target: user event_id: '4743' event_name: A computer account was deleted. event_platform: windows audit_category: Account Management audit_sub_category: Computer Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1531 is_subtechnique: false technique: Account Access Removal tactic: - impact platform: - Linux - macOS - Windows - Office 365 - SaaS data_source: user account data_component: user account deletion relationship_id: REL-2022-0176 name: User deleted User source: user relationship: deleted target: user event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: UserAccountDeleted - technique_id: T1531 is_subtechnique: false technique: Account Access Removal tactic: - impact platform: - Linux - macOS - Windows - Office 365 - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0003 name: User modified User source: user relationship: modified target: user event_id: '4738' event_name: A user account was changed. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1531 is_subtechnique: false technique: Account Access Removal tactic: - impact platform: - Linux - macOS - Windows - Office 365 - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0003 name: User modified User source: user relationship: modified target: user event_id: '4781' event_name: The name of an account was changed. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1531 is_subtechnique: false technique: Account Access Removal tactic: - impact platform: - Linux - macOS - Windows - Office 365 - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0003 name: User modified User source: user relationship: modified target: user event_id: '4742' event_name: A computer account was changed. event_platform: windows audit_category: Account Management audit_sub_category: Computer Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1531 is_subtechnique: false technique: Account Access Removal tactic: - impact platform: - Linux - macOS - Windows - Office 365 - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0003 name: User modified User source: user relationship: modified target: user event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: UserAccountModified - technique_id: T1531 is_subtechnique: false technique: Account Access Removal tactic: - impact platform: - Linux - macOS - Windows - Office 365 - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0009 name: User locked User source: user relationship: locked target: user event_id: '4740' event_name: A user account was locked out. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1531 is_subtechnique: false technique: Account Access Removal tactic: - impact platform: - Linux - macOS - Windows - Office 365 - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0019 name: User unlocked User source: user relationship: unlocked target: user event_id: '4767' event_name: A user account was unlocked. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1531 is_subtechnique: false technique: Account Access Removal tactic: - impact platform: - Linux - macOS - Windows - Office 365 - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0024 name: User enabled User source: user relationship: enabled target: user event_id: '4722' event_name: A user account was enabled. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1531 is_subtechnique: false technique: Account Access Removal tactic: - impact platform: - Linux - macOS - Windows - Office 365 - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0024 name: User enabled User source: user relationship: enabled target: user event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: UserAccountModified - technique_id: T1531 is_subtechnique: false technique: Account Access Removal tactic: - impact platform: - Linux - macOS - Windows - Office 365 - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0042 name: User granted acess to User source: user relationship: granted access to target: user event_id: '4717' event_name: System security access was granted to an account. event_platform: windows audit_category: Policy Change audit_sub_category: Authentication Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1531 is_subtechnique: false technique: Account Access Removal tactic: - impact platform: - Linux - macOS - Windows - Office 365 - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0083 name: User removed acess from User source: user relationship: removed access from target: user event_id: '4718' event_name: System security access was removed from an account. event_platform: windows audit_category: Policy Change audit_sub_category: Authentication Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1531 is_subtechnique: false technique: Account Access Removal tactic: - impact platform: - Linux - macOS - Windows - Office 365 - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0109 name: User disabled User source: user relationship: disabled target: user event_id: '4725' event_name: A user account was disabled. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1531 is_subtechnique: false technique: Account Access Removal tactic: - impact platform: - Linux - macOS - Windows - Office 365 - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0109 name: User disabled User source: user relationship: disabled target: user event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: UserAccountModified - technique_id: T1531 is_subtechnique: false technique: Account Access Removal tactic: - impact platform: - Linux - macOS - Windows - Office 365 - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0133 name: User attempted to modify User source: user relationship: attempted to modify target: user event_id: '4723' event_name: An attempt was made to change an account's password. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1531 is_subtechnique: false technique: Account Access Removal tactic: - impact platform: - Linux - macOS - Windows - Office 365 - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0133 name: User attempted to modify User source: user relationship: attempted to modify target: user event_id: '4724' event_name: An attempt was made to reset an account's password. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1531 is_subtechnique: false technique: Account Access Removal tactic: - impact platform: - Linux - macOS - Windows - Office 365 - SaaS data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5136' event_name: A directory service object was modified. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1531 is_subtechnique: false technique: Account Access Removal tactic: - impact platform: - Linux - macOS - Windows - Office 365 - SaaS data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5139' event_name: A directory service object was moved. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1531 is_subtechnique: false technique: Account Access Removal tactic: - impact platform: - Linux - macOS - Windows - Office 365 - SaaS data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '4719' event_name: System audit policy was changed. event_platform: windows audit_category: Policy Change audit_sub_category: Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1539 is_subtechnique: .nan technique: Steal Web Session Cookie tactic: - credential-access platform: - Linux - macOS - Windows - Office 365 - SaaS - Google Workspace data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1539 is_subtechnique: .nan technique: Steal Web Session Cookie tactic: - credential-access platform: - Linux - macOS - Windows - Office 365 - SaaS - Google Workspace data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1539 is_subtechnique: .nan technique: Steal Web Session Cookie tactic: - credential-access platform: - Linux - macOS - Windows - Office 365 - SaaS - Google Workspace data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1539 is_subtechnique: .nan technique: Steal Web Session Cookie tactic: - credential-access platform: - Linux - macOS - Windows - Office 365 - SaaS - Google Workspace data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1539 is_subtechnique: .nan technique: Steal Web Session Cookie tactic: - credential-access platform: - Linux - macOS - Windows - Office 365 - SaaS - Google Workspace data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1539 is_subtechnique: .nan technique: Steal Web Session Cookie tactic: - credential-access platform: - Linux - macOS - Windows - Office 365 - SaaS - Google Workspace data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1539 is_subtechnique: .nan technique: Steal Web Session Cookie tactic: - credential-access platform: - Linux - macOS - Windows - Office 365 - SaaS - Google Workspace data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1539 is_subtechnique: .nan technique: Steal Web Session Cookie tactic: - credential-access platform: - Linux - macOS - Windows - Office 365 - SaaS - Google Workspace data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1539 is_subtechnique: .nan technique: Steal Web Session Cookie tactic: - credential-access platform: - Linux - macOS - Windows - Office 365 - SaaS - Google Workspace data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '10' event_name: Process Access. event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1539 is_subtechnique: .nan technique: Steal Web Session Cookie tactic: - credential-access platform: - Linux - macOS - Windows - Office 365 - SaaS - Google Workspace data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1539 is_subtechnique: .nan technique: Steal Web Session Cookie tactic: - credential-access platform: - Linux - macOS - Windows - Office 365 - SaaS - Google Workspace data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '10' event_name: ProcessAccess event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1539 is_subtechnique: .nan technique: Steal Web Session Cookie tactic: - credential-access platform: - Linux - macOS - Windows - Office 365 - SaaS - Google Workspace data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1539 is_subtechnique: .nan technique: Steal Web Session Cookie tactic: - credential-access platform: - Linux - macOS - Windows - Office 365 - SaaS - Google Workspace data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1100' event_name: The event logging service has shut down. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1101' event_name: Audit events have been dropped by the transport. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1102' event_name: The audit log was cleared. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1104' event_name: The security Log is now full. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4616' event_name: The system time was changed. event_platform: windows audit_category: System audit_sub_category: Security State Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1529 is_subtechnique: .nan technique: System Shutdown/Reboot tactic: - impact platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: firewall data_component: firewall metadata relationship_id: REL-2022-0049 name: Firewall enabled source: firewall relationship: enabled target: null event_id: '5024' event_name: The Windows Firewall Service has started successfully. event_platform: windows audit_category: System audit_sub_category: Other System Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: firewall data_component: firewall metadata relationship_id: REL-2022-0127 name: Firewall attempted to load Configuration source: firewall relationship: attempted to load target: configuration event_id: '2009' event_name: The Windows Firewall service failed to load Group Policy. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log_source: Microsoft-Windows-Windows Firewall With Advanced Security filter_in: .nan - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: firewall data_component: firewall metadata relationship_id: REL-2022-0152 name: User modified Firewall source: user relationship: modified target: firewall event_id: '2002' event_name: A Windows Defender Firewall setting has changed. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log_source: Microsoft-Windows-Windows Firewall With Advanced Security filter_in: .nan - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: firewall data_component: firewall metadata relationship_id: REL-2022-0152 name: User modified Firewall source: user relationship: modified target: firewall event_id: '2003' event_name: A Windows Defender Firewall setting in the Private profile has changed. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log_source: Microsoft-Windows-Windows Firewall With Advanced Security filter_in: .nan - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: firewall data_component: firewall metadata relationship_id: REL-2022-0180 name: Process modified Firewall source: process relationship: modified target: firewall event_id: '2002' event_name: A Windows Defender Firewall setting has changed. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log_source: Microsoft-Windows-Windows Firewall With Advanced Security filter_in: .nan - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: firewall data_component: firewall metadata relationship_id: REL-2022-0180 name: Process modified Firewall source: process relationship: modified target: firewall event_id: '2003' event_name: A Windows Defender Firewall setting in the Private profile has changed. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall log_source: Microsoft-Windows-Windows Firewall With Advanced Security filter_in: .nan - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1518 is_subtechnique: .nan technique: Software Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1547.013 is_subtechnique: true technique: XDG Autostart Entries tactic: - persistence - privilege-escalation platform: - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1547.013 is_subtechnique: true technique: XDG Autostart Entries tactic: - persistence - privilege-escalation platform: - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1547.013 is_subtechnique: true technique: XDG Autostart Entries tactic: - persistence - privilege-escalation platform: - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1547.013 is_subtechnique: true technique: XDG Autostart Entries tactic: - persistence - privilege-escalation platform: - Linux data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1547.013 is_subtechnique: true technique: XDG Autostart Entries tactic: - persistence - privilege-escalation platform: - Linux data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1505 is_subtechnique: .nan technique: Server Software Component tactic: - persistence platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505 is_subtechnique: .nan technique: Server Software Component tactic: - persistence platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1505 is_subtechnique: .nan technique: Server Software Component tactic: - persistence platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505 is_subtechnique: .nan technique: Server Software Component tactic: - persistence platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505 is_subtechnique: .nan technique: Server Software Component tactic: - persistence platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505 is_subtechnique: .nan technique: Server Software Component tactic: - persistence platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1505 is_subtechnique: .nan technique: Server Software Component tactic: - persistence platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1505 is_subtechnique: .nan technique: Server Software Component tactic: - persistence platform: - Windows - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1505 is_subtechnique: .nan technique: Server Software Component tactic: - persistence platform: - Windows - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1505 is_subtechnique: .nan technique: Server Software Component tactic: - persistence platform: - Windows - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505 is_subtechnique: .nan technique: Server Software Component tactic: - persistence platform: - Windows - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505 is_subtechnique: .nan technique: Server Software Component tactic: - persistence platform: - Windows - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1505 is_subtechnique: .nan technique: Server Software Component tactic: - persistence platform: - Windows - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1505 is_subtechnique: .nan technique: Server Software Component tactic: - persistence platform: - Windows - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505 is_subtechnique: .nan technique: Server Software Component tactic: - persistence platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505 is_subtechnique: .nan technique: Server Software Component tactic: - persistence platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505 is_subtechnique: .nan technique: Server Software Component tactic: - persistence platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1505 is_subtechnique: .nan technique: Server Software Component tactic: - persistence platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1505 is_subtechnique: .nan technique: Server Software Component tactic: - persistence platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505 is_subtechnique: .nan technique: Server Software Component tactic: - persistence platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1505 is_subtechnique: .nan technique: Server Software Component tactic: - persistence platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1505 is_subtechnique: .nan technique: Server Software Component tactic: - persistence platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1505 is_subtechnique: .nan technique: Server Software Component tactic: - persistence platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1505 is_subtechnique: .nan technique: Server Software Component tactic: - persistence platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1499 is_subtechnique: false technique: Endpoint Denial of Service tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1499 is_subtechnique: false technique: Endpoint Denial of Service tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1100' event_name: The event logging service has shut down. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1499 is_subtechnique: false technique: Endpoint Denial of Service tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1101' event_name: Audit events have been dropped by the transport. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1499 is_subtechnique: false technique: Endpoint Denial of Service tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1102' event_name: The audit log was cleared. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1499 is_subtechnique: false technique: Endpoint Denial of Service tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1104' event_name: The security Log is now full. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1499 is_subtechnique: false technique: Endpoint Denial of Service tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1499 is_subtechnique: false technique: Endpoint Denial of Service tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1499 is_subtechnique: false technique: Endpoint Denial of Service tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4616' event_name: The system time was changed. event_platform: windows audit_category: System audit_sub_category: Security State Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1497 is_subtechnique: .nan technique: Virtualization/Sandbox Evasion tactic: - defense-evasion - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1497 is_subtechnique: .nan technique: Virtualization/Sandbox Evasion tactic: - defense-evasion - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1497 is_subtechnique: .nan technique: Virtualization/Sandbox Evasion tactic: - defense-evasion - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1497 is_subtechnique: .nan technique: Virtualization/Sandbox Evasion tactic: - defense-evasion - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1497 is_subtechnique: .nan technique: Virtualization/Sandbox Evasion tactic: - defense-evasion - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1497 is_subtechnique: .nan technique: Virtualization/Sandbox Evasion tactic: - defense-evasion - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1497 is_subtechnique: .nan technique: Virtualization/Sandbox Evasion tactic: - defense-evasion - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1497 is_subtechnique: .nan technique: Virtualization/Sandbox Evasion tactic: - defense-evasion - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1497 is_subtechnique: .nan technique: Virtualization/Sandbox Evasion tactic: - defense-evasion - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1497 is_subtechnique: .nan technique: Virtualization/Sandbox Evasion tactic: - defense-evasion - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1497 is_subtechnique: .nan technique: Virtualization/Sandbox Evasion tactic: - defense-evasion - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1497 is_subtechnique: .nan technique: Virtualization/Sandbox Evasion tactic: - defense-evasion - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1497 is_subtechnique: .nan technique: Virtualization/Sandbox Evasion tactic: - defense-evasion - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1497 is_subtechnique: .nan technique: Virtualization/Sandbox Evasion tactic: - defense-evasion - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1497 is_subtechnique: .nan technique: Virtualization/Sandbox Evasion tactic: - defense-evasion - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1497 is_subtechnique: .nan technique: Virtualization/Sandbox Evasion tactic: - defense-evasion - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1497 is_subtechnique: .nan technique: Virtualization/Sandbox Evasion tactic: - defense-evasion - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1497 is_subtechnique: .nan technique: Virtualization/Sandbox Evasion tactic: - defense-evasion - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1497 is_subtechnique: .nan technique: Virtualization/Sandbox Evasion tactic: - defense-evasion - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1497 is_subtechnique: .nan technique: Virtualization/Sandbox Evasion tactic: - defense-evasion - discovery platform: - Windows - macOS - Linux data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1497 is_subtechnique: .nan technique: Virtualization/Sandbox Evasion tactic: - defense-evasion - discovery platform: - Windows - macOS - Linux data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1498 is_subtechnique: .nan technique: Network Denial of Service tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1498 is_subtechnique: .nan technique: Network Denial of Service tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1100' event_name: The event logging service has shut down. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1498 is_subtechnique: .nan technique: Network Denial of Service tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1101' event_name: Audit events have been dropped by the transport. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1498 is_subtechnique: .nan technique: Network Denial of Service tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1102' event_name: The audit log was cleared. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1498 is_subtechnique: .nan technique: Network Denial of Service tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1104' event_name: The security Log is now full. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1498 is_subtechnique: .nan technique: Network Denial of Service tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1498 is_subtechnique: .nan technique: Network Denial of Service tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1498 is_subtechnique: .nan technique: Network Denial of Service tactic: - impact platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4616' event_name: The system time was changed. event_platform: windows audit_category: System audit_sub_category: Security State Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1100' event_name: The event logging service has shut down. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1101' event_name: Audit events have been dropped by the transport. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1102' event_name: The audit log was cleared. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1104' event_name: The security Log is now full. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4616' event_name: The system time was changed. event_platform: windows audit_category: System audit_sub_category: Security State Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1496 is_subtechnique: false technique: Resource Hijacking tactic: - impact platform: - Windows - IaaS - Linux - macOS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1491 is_subtechnique: .nan technique: Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1491 is_subtechnique: .nan technique: Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1491 is_subtechnique: .nan technique: Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1491 is_subtechnique: .nan technique: Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1491 is_subtechnique: .nan technique: Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1491 is_subtechnique: .nan technique: Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1491 is_subtechnique: .nan technique: Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1491 is_subtechnique: .nan technique: Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1491 is_subtechnique: .nan technique: Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1491 is_subtechnique: .nan technique: Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1491 is_subtechnique: .nan technique: Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1491 is_subtechnique: .nan technique: Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1491 is_subtechnique: .nan technique: Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1491 is_subtechnique: .nan technique: Defacement tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: service data_component: service metadata relationship_id: REL-2022-0094 name: Service stopped source: service relationship: stopped target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: service data_component: service metadata relationship_id: REL-2022-0094 name: Service stopped source: service relationship: stopped target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: service data_component: service metadata relationship_id: REL-2022-0184 name: Service started source: service relationship: started target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: service data_component: service metadata relationship_id: REL-2022-0184 name: Service started source: service relationship: started target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: windows audit_category: FileDelete audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: linux audit_category: FileDelete audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '26' event_name: File Delete logged. event_platform: windows audit_category: FileDeleteDetected audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileDeleted - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: windows audit_category: FileDelete audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: linux audit_category: FileDelete audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '26' event_name: File Delete logged. event_platform: windows audit_category: FileDeleteDetected audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileDeleted - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1490 is_subtechnique: false technique: Inhibit System Recovery tactic: - impact platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: process data_component: process termination relationship_id: REL-2022-0004 name: User terminated Process source: user relationship: terminated target: process event_id: '4689' event_name: A process has exited. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Termination channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: process data_component: process termination relationship_id: REL-2022-0004 name: User terminated Process source: user relationship: terminated target: process event_id: '5' event_name: Process terminated. event_platform: windows audit_category: ProcessTerminate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: process data_component: process termination relationship_id: REL-2022-0004 name: User terminated Process source: user relationship: terminated target: process event_id: '5' event_name: Process terminated. event_platform: linux audit_category: ProcessTerminate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: service data_component: service metadata relationship_id: REL-2022-0094 name: Service stopped source: service relationship: stopped target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: service data_component: service metadata relationship_id: REL-2022-0094 name: Service stopped source: service relationship: stopped target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: service data_component: service metadata relationship_id: REL-2022-0184 name: Service started source: service relationship: started target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: service data_component: service metadata relationship_id: REL-2022-0184 name: Service started source: service relationship: started target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1489 is_subtechnique: .nan technique: Service Stop tactic: - impact platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1486 is_subtechnique: false technique: Data Encrypted for Impact tactic: - impact platform: - Linux - macOS - Windows - IaaS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: windows audit_category: FileDelete audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: linux audit_category: FileDelete audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '26' event_name: File Delete logged. event_platform: windows audit_category: FileDeleteDetected audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileDeleted - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: windows audit_category: FileDelete audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: linux audit_category: FileDelete audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '26' event_name: File Delete logged. event_platform: windows audit_category: FileDeleteDetected audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileDeleted - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1485 is_subtechnique: .nan technique: Data Destruction tactic: - impact platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1484 is_subtechnique: .nan technique: Domain Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1484 is_subtechnique: .nan technique: Domain Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1484 is_subtechnique: .nan technique: Domain Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1484 is_subtechnique: .nan technique: Domain Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1484 is_subtechnique: .nan technique: Domain Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1484 is_subtechnique: .nan technique: Domain Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1484 is_subtechnique: .nan technique: Domain Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1484 is_subtechnique: .nan technique: Domain Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1484 is_subtechnique: .nan technique: Domain Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5136' event_name: A directory service object was modified. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1484 is_subtechnique: .nan technique: Domain Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5139' event_name: A directory service object was moved. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1484 is_subtechnique: .nan technique: Domain Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '4719' event_name: System audit policy was changed. event_platform: windows audit_category: Policy Change audit_sub_category: Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1484 is_subtechnique: .nan technique: Domain Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: active directory data_component: active directory object deletion relationship_id: REL-2022-0063 name: User deleted AD Object source: user relationship: deleted target: ad object event_id: '5141' event_name: A directory service object was deleted. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1484 is_subtechnique: .nan technique: Domain Policy Modification tactic: - defense-evasion - privilege-escalation platform: - Windows - Azure AD data_source: active directory data_component: active directory object creation relationship_id: REL-2022-0136 name: User created AD Object source: user relationship: created target: ad object event_id: '5137' event_name: A directory service object was created. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1482 is_subtechnique: false technique: Domain Trust Discovery tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1482 is_subtechnique: false technique: Domain Trust Discovery tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1482 is_subtechnique: false technique: Domain Trust Discovery tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1482 is_subtechnique: false technique: Domain Trust Discovery tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1482 is_subtechnique: false technique: Domain Trust Discovery tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1482 is_subtechnique: false technique: Domain Trust Discovery tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1482 is_subtechnique: false technique: Domain Trust Discovery tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1482 is_subtechnique: false technique: Domain Trust Discovery tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1482 is_subtechnique: false technique: Domain Trust Discovery tactic: - discovery platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1482 is_subtechnique: false technique: Domain Trust Discovery tactic: - discovery platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1482 is_subtechnique: false technique: Domain Trust Discovery tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1482 is_subtechnique: false technique: Domain Trust Discovery tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1482 is_subtechnique: false technique: Domain Trust Discovery tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1482 is_subtechnique: false technique: Domain Trust Discovery tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1482 is_subtechnique: false technique: Domain Trust Discovery tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1482 is_subtechnique: false technique: Domain Trust Discovery tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1482 is_subtechnique: false technique: Domain Trust Discovery tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1482 is_subtechnique: false technique: Domain Trust Discovery tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1482 is_subtechnique: false technique: Domain Trust Discovery tactic: - discovery platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1482 is_subtechnique: false technique: Domain Trust Discovery tactic: - discovery platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1482 is_subtechnique: false technique: Domain Trust Discovery tactic: - discovery platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1482 is_subtechnique: false technique: Domain Trust Discovery tactic: - discovery platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1482 is_subtechnique: false technique: Domain Trust Discovery tactic: - discovery platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1480 is_subtechnique: false technique: Execution Guardrails tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1480 is_subtechnique: false technique: Execution Guardrails tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1480 is_subtechnique: false technique: Execution Guardrails tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1480 is_subtechnique: false technique: Execution Guardrails tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1480 is_subtechnique: false technique: Execution Guardrails tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1480 is_subtechnique: false technique: Execution Guardrails tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1480 is_subtechnique: false technique: Execution Guardrails tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1480 is_subtechnique: false technique: Execution Guardrails tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1480 is_subtechnique: false technique: Execution Guardrails tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1480 is_subtechnique: false technique: Execution Guardrails tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1480 is_subtechnique: false technique: Execution Guardrails tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1480 is_subtechnique: false technique: Execution Guardrails tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1480 is_subtechnique: false technique: Execution Guardrails tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1480 is_subtechnique: false technique: Execution Guardrails tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1480 is_subtechnique: false technique: Execution Guardrails tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1480 is_subtechnique: false technique: Execution Guardrails tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1480 is_subtechnique: false technique: Execution Guardrails tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1480 is_subtechnique: false technique: Execution Guardrails tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1480 is_subtechnique: false technique: Execution Guardrails tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1222 is_subtechnique: .nan technique: File and Directory Permissions Modification tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5136' event_name: A directory service object was modified. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1222 is_subtechnique: .nan technique: File and Directory Permissions Modification tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5139' event_name: A directory service object was moved. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1222 is_subtechnique: .nan technique: File and Directory Permissions Modification tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '4719' event_name: System audit policy was changed. event_platform: windows audit_category: Policy Change audit_sub_category: Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1222 is_subtechnique: .nan technique: File and Directory Permissions Modification tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1222 is_subtechnique: .nan technique: File and Directory Permissions Modification tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1222 is_subtechnique: .nan technique: File and Directory Permissions Modification tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1222 is_subtechnique: .nan technique: File and Directory Permissions Modification tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1222 is_subtechnique: .nan technique: File and Directory Permissions Modification tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1222 is_subtechnique: .nan technique: File and Directory Permissions Modification tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1222 is_subtechnique: .nan technique: File and Directory Permissions Modification tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1222 is_subtechnique: .nan technique: File and Directory Permissions Modification tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1222 is_subtechnique: .nan technique: File and Directory Permissions Modification tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1222 is_subtechnique: .nan technique: File and Directory Permissions Modification tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1222 is_subtechnique: .nan technique: File and Directory Permissions Modification tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1222 is_subtechnique: .nan technique: File and Directory Permissions Modification tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1222 is_subtechnique: .nan technique: File and Directory Permissions Modification tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1222 is_subtechnique: .nan technique: File and Directory Permissions Modification tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1222 is_subtechnique: .nan technique: File and Directory Permissions Modification tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1222 is_subtechnique: .nan technique: File and Directory Permissions Modification tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1222 is_subtechnique: .nan technique: File and Directory Permissions Modification tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1222 is_subtechnique: .nan technique: File and Directory Permissions Modification tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1222 is_subtechnique: .nan technique: File and Directory Permissions Modification tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1221 is_subtechnique: .nan technique: Template Injection tactic: - defense-evasion platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1220 is_subtechnique: false technique: XSL Script Processing tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1220 is_subtechnique: false technique: XSL Script Processing tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1220 is_subtechnique: false technique: XSL Script Processing tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1220 is_subtechnique: false technique: XSL Script Processing tactic: - defense-evasion platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1220 is_subtechnique: false technique: XSL Script Processing tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1220 is_subtechnique: false technique: XSL Script Processing tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1220 is_subtechnique: false technique: XSL Script Processing tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1220 is_subtechnique: false technique: XSL Script Processing tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1220 is_subtechnique: false technique: XSL Script Processing tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1220 is_subtechnique: false technique: XSL Script Processing tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1220 is_subtechnique: false technique: XSL Script Processing tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1220 is_subtechnique: false technique: XSL Script Processing tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1218 is_subtechnique: false technique: System Binary Proxy Execution tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1207 is_subtechnique: .nan technique: Rogue Domain Controller tactic: - defense-evasion platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1207 is_subtechnique: .nan technique: Rogue Domain Controller tactic: - defense-evasion platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1207 is_subtechnique: .nan technique: Rogue Domain Controller tactic: - defense-evasion platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1207 is_subtechnique: .nan technique: Rogue Domain Controller tactic: - defense-evasion platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1207 is_subtechnique: .nan technique: Rogue Domain Controller tactic: - defense-evasion platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0122 name: User attempted to authenticate from Device source: user relationship: attempted to authenticate from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1207 is_subtechnique: .nan technique: Rogue Domain Controller tactic: - defense-evasion platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0163 name: User authenticated from Device source: user relationship: authenticated from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1207 is_subtechnique: .nan technique: Rogue Domain Controller tactic: - defense-evasion platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1207 is_subtechnique: .nan technique: Rogue Domain Controller tactic: - defense-evasion platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1207 is_subtechnique: .nan technique: Rogue Domain Controller tactic: - defense-evasion platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1207 is_subtechnique: .nan technique: Rogue Domain Controller tactic: - defense-evasion platform: - Windows data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1207 is_subtechnique: .nan technique: Rogue Domain Controller tactic: - defense-evasion platform: - Windows data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5136' event_name: A directory service object was modified. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1207 is_subtechnique: .nan technique: Rogue Domain Controller tactic: - defense-evasion platform: - Windows data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5139' event_name: A directory service object was moved. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1207 is_subtechnique: .nan technique: Rogue Domain Controller tactic: - defense-evasion platform: - Windows data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '4719' event_name: System audit policy was changed. event_platform: windows audit_category: Policy Change audit_sub_category: Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1207 is_subtechnique: .nan technique: Rogue Domain Controller tactic: - defense-evasion platform: - Windows data_source: active directory data_component: active directory object creation relationship_id: REL-2022-0136 name: User created AD Object source: user relationship: created target: ad object event_id: '5137' event_name: A directory service object was created. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1199 is_subtechnique: .nan technique: Trusted Relationship tactic: - initial-access platform: - Windows - SaaS - IaaS - Linux - macOS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4703' event_name: A token right was adjusted. event_platform: windows audit_category: Policy Change audit_sub_category: Authorization Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1199 is_subtechnique: .nan technique: Trusted Relationship tactic: - initial-access platform: - Windows - SaaS - IaaS - Linux - macOS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4673' event_name: A privileged service was called. event_platform: windows audit_category: Privilege Use audit_sub_category: Sensitive Privilege Use channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1199 is_subtechnique: .nan technique: Trusted Relationship tactic: - initial-access platform: - Windows - SaaS - IaaS - Linux - macOS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4674' event_name: An operation was attempted on a privileged object. event_platform: windows audit_category: Privilege Use audit_sub_category: Sensitive Privilege Use channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1199 is_subtechnique: .nan technique: Trusted Relationship tactic: - initial-access platform: - Windows - SaaS - IaaS - Linux - macOS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4610' event_name: An authentication package has been loaded by the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1199 is_subtechnique: .nan technique: Trusted Relationship tactic: - initial-access platform: - Windows - SaaS - IaaS - Linux - macOS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4611' event_name: A trusted logon process has been registered with the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1199 is_subtechnique: .nan technique: Trusted Relationship tactic: - initial-access platform: - Windows - SaaS - IaaS - Linux - macOS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4614' event_name: A notification package has been loaded by the Security Account Manager. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1199 is_subtechnique: .nan technique: Trusted Relationship tactic: - initial-access platform: - Windows - SaaS - IaaS - Linux - macOS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4622' event_name: A security package has been loaded by the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1199 is_subtechnique: .nan technique: Trusted Relationship tactic: - initial-access platform: - Windows - SaaS - IaaS - Linux - macOS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1199 is_subtechnique: .nan technique: Trusted Relationship tactic: - initial-access platform: - Windows - SaaS - IaaS - Linux - macOS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1199 is_subtechnique: .nan technique: Trusted Relationship tactic: - initial-access platform: - Windows - SaaS - IaaS - Linux - macOS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1199 is_subtechnique: .nan technique: Trusted Relationship tactic: - initial-access platform: - Windows - SaaS - IaaS - Linux - macOS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1199 is_subtechnique: .nan technique: Trusted Relationship tactic: - initial-access platform: - Windows - SaaS - IaaS - Linux - macOS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1199 is_subtechnique: .nan technique: Trusted Relationship tactic: - initial-access platform: - Windows - SaaS - IaaS - Linux - macOS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1199 is_subtechnique: .nan technique: Trusted Relationship tactic: - initial-access platform: - Windows - SaaS - IaaS - Linux - macOS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1199 is_subtechnique: .nan technique: Trusted Relationship tactic: - initial-access platform: - Windows - SaaS - IaaS - Linux - macOS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1199 is_subtechnique: .nan technique: Trusted Relationship tactic: - initial-access platform: - Windows - SaaS - IaaS - Linux - macOS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1202 is_subtechnique: false technique: Indirect Command Execution tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1202 is_subtechnique: false technique: Indirect Command Execution tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1202 is_subtechnique: false technique: Indirect Command Execution tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1202 is_subtechnique: false technique: Indirect Command Execution tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1202 is_subtechnique: false technique: Indirect Command Execution tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1202 is_subtechnique: false technique: Indirect Command Execution tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1202 is_subtechnique: false technique: Indirect Command Execution tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1202 is_subtechnique: false technique: Indirect Command Execution tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1202 is_subtechnique: false technique: Indirect Command Execution tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1202 is_subtechnique: false technique: Indirect Command Execution tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1202 is_subtechnique: false technique: Indirect Command Execution tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1202 is_subtechnique: false technique: Indirect Command Execution tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1202 is_subtechnique: false technique: Indirect Command Execution tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1202 is_subtechnique: false technique: Indirect Command Execution tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1202 is_subtechnique: false technique: Indirect Command Execution tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1202 is_subtechnique: false technique: Indirect Command Execution tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1195 is_subtechnique: false technique: Supply Chain Compromise tactic: - initial-access platform: - Linux - Windows - macOS data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1195 is_subtechnique: false technique: Supply Chain Compromise tactic: - initial-access platform: - Linux - Windows - macOS data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1100' event_name: The event logging service has shut down. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1195 is_subtechnique: false technique: Supply Chain Compromise tactic: - initial-access platform: - Linux - Windows - macOS data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1101' event_name: Audit events have been dropped by the transport. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1195 is_subtechnique: false technique: Supply Chain Compromise tactic: - initial-access platform: - Linux - Windows - macOS data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1102' event_name: The audit log was cleared. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1195 is_subtechnique: false technique: Supply Chain Compromise tactic: - initial-access platform: - Linux - Windows - macOS data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '1104' event_name: The security Log is now full. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-Eventlog filter_in: .nan - technique_id: T1195 is_subtechnique: false technique: Supply Chain Compromise tactic: - initial-access platform: - Linux - Windows - macOS data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1195 is_subtechnique: false technique: Supply Chain Compromise tactic: - initial-access platform: - Linux - Windows - macOS data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1195 is_subtechnique: false technique: Supply Chain Compromise tactic: - initial-access platform: - Linux - Windows - macOS data_source: sensor health data_component: host status relationship_id: REL-2022-0061 name: Sensor Health changed source: sensor health relationship: changed target: null event_id: '4616' event_name: The system time was changed. event_platform: windows audit_category: System audit_sub_category: Security State Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1219 is_subtechnique: false technique: Remote Access Software tactic: - command-and-control platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1213 is_subtechnique: false technique: Data from Information Repositories tactic: - collection platform: - Linux - Windows - macOS - SaaS - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1213 is_subtechnique: false technique: Data from Information Repositories tactic: - collection platform: - Linux - Windows - macOS - SaaS - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1213 is_subtechnique: false technique: Data from Information Repositories tactic: - collection platform: - Linux - Windows - macOS - SaaS - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1213 is_subtechnique: false technique: Data from Information Repositories tactic: - collection platform: - Linux - Windows - macOS - SaaS - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1213 is_subtechnique: false technique: Data from Information Repositories tactic: - collection platform: - Linux - Windows - macOS - SaaS - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1213 is_subtechnique: false technique: Data from Information Repositories tactic: - collection platform: - Linux - Windows - macOS - SaaS - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1213 is_subtechnique: false technique: Data from Information Repositories tactic: - collection platform: - Linux - Windows - macOS - SaaS - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1213 is_subtechnique: false technique: Data from Information Repositories tactic: - collection platform: - Linux - Windows - macOS - SaaS - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1213 is_subtechnique: false technique: Data from Information Repositories tactic: - collection platform: - Linux - Windows - macOS - SaaS - Office 365 - Google Workspace - IaaS data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1200 is_subtechnique: false technique: Hardware Additions tactic: - initial-access platform: - Windows - Linux - macOS data_source: drive data_component: drive creation relationship_id: REL-2022-0069 name: User attempted to install Drive source: user relationship: attempted to install target: drive event_id: '6423' event_name: The installation of this device is forbidden by system policy. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1200 is_subtechnique: false technique: Hardware Additions tactic: - initial-access platform: - Windows - Linux - macOS data_source: drive data_component: drive creation relationship_id: REL-2022-0114 name: User installed Drive source: user relationship: installed target: drive event_id: '6416' event_name: A new external device was recognized by the system. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1200 is_subtechnique: false technique: Hardware Additions tactic: - initial-access platform: - Windows - Linux - macOS data_source: drive data_component: drive creation relationship_id: REL-2022-0114 name: User installed Drive source: user relationship: installed target: drive event_id: '6424' event_name: The installation of this device was allowed, after having previously been forbidden by policy. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1216 is_subtechnique: false technique: System Script Proxy Execution tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1216 is_subtechnique: false technique: System Script Proxy Execution tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1216 is_subtechnique: false technique: System Script Proxy Execution tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1216 is_subtechnique: false technique: System Script Proxy Execution tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1216 is_subtechnique: false technique: System Script Proxy Execution tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1216 is_subtechnique: false technique: System Script Proxy Execution tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1216 is_subtechnique: false technique: System Script Proxy Execution tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1216 is_subtechnique: false technique: System Script Proxy Execution tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1216 is_subtechnique: false technique: System Script Proxy Execution tactic: - defense-evasion platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1216 is_subtechnique: false technique: System Script Proxy Execution tactic: - defense-evasion platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1216 is_subtechnique: false technique: System Script Proxy Execution tactic: - defense-evasion platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1216 is_subtechnique: false technique: System Script Proxy Execution tactic: - defense-evasion platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1216 is_subtechnique: false technique: System Script Proxy Execution tactic: - defense-evasion platform: - Windows data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1216 is_subtechnique: false technique: System Script Proxy Execution tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1216 is_subtechnique: false technique: System Script Proxy Execution tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1216 is_subtechnique: false technique: System Script Proxy Execution tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1216 is_subtechnique: false technique: System Script Proxy Execution tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1216 is_subtechnique: false technique: System Script Proxy Execution tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1216 is_subtechnique: false technique: System Script Proxy Execution tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1216 is_subtechnique: false technique: System Script Proxy Execution tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1216 is_subtechnique: false technique: System Script Proxy Execution tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1205 is_subtechnique: false technique: Traffic Signaling tactic: - defense-evasion - persistence - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1217 is_subtechnique: .nan technique: Browser Bookmark Discovery tactic: - discovery platform: - Linux - Windows - macOS data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1217 is_subtechnique: .nan technique: Browser Bookmark Discovery tactic: - discovery platform: - Linux - Windows - macOS data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1217 is_subtechnique: .nan technique: Browser Bookmark Discovery tactic: - discovery platform: - Linux - Windows - macOS data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1217 is_subtechnique: .nan technique: Browser Bookmark Discovery tactic: - discovery platform: - Linux - Windows - macOS data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1217 is_subtechnique: .nan technique: Browser Bookmark Discovery tactic: - discovery platform: - Linux - Windows - macOS data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1217 is_subtechnique: .nan technique: Browser Bookmark Discovery tactic: - discovery platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1217 is_subtechnique: .nan technique: Browser Bookmark Discovery tactic: - discovery platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1217 is_subtechnique: .nan technique: Browser Bookmark Discovery tactic: - discovery platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1217 is_subtechnique: .nan technique: Browser Bookmark Discovery tactic: - discovery platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1217 is_subtechnique: .nan technique: Browser Bookmark Discovery tactic: - discovery platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1217 is_subtechnique: .nan technique: Browser Bookmark Discovery tactic: - discovery platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1217 is_subtechnique: .nan technique: Browser Bookmark Discovery tactic: - discovery platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1217 is_subtechnique: .nan technique: Browser Bookmark Discovery tactic: - discovery platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1217 is_subtechnique: .nan technique: Browser Bookmark Discovery tactic: - discovery platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1217 is_subtechnique: .nan technique: Browser Bookmark Discovery tactic: - discovery platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1217 is_subtechnique: .nan technique: Browser Bookmark Discovery tactic: - discovery platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1217 is_subtechnique: .nan technique: Browser Bookmark Discovery tactic: - discovery platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1217 is_subtechnique: .nan technique: Browser Bookmark Discovery tactic: - discovery platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1217 is_subtechnique: .nan technique: Browser Bookmark Discovery tactic: - discovery platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1217 is_subtechnique: .nan technique: Browser Bookmark Discovery tactic: - discovery platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1217 is_subtechnique: .nan technique: Browser Bookmark Discovery tactic: - discovery platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1217 is_subtechnique: .nan technique: Browser Bookmark Discovery tactic: - discovery platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1217 is_subtechnique: .nan technique: Browser Bookmark Discovery tactic: - discovery platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1217 is_subtechnique: .nan technique: Browser Bookmark Discovery tactic: - discovery platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1201 is_subtechnique: false technique: Password Policy Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1201 is_subtechnique: false technique: Password Policy Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1201 is_subtechnique: false technique: Password Policy Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1201 is_subtechnique: false technique: Password Policy Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1201 is_subtechnique: false technique: Password Policy Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS - Network data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1201 is_subtechnique: false technique: Password Policy Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS - Network data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1201 is_subtechnique: false technique: Password Policy Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1201 is_subtechnique: false technique: Password Policy Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1201 is_subtechnique: false technique: Password Policy Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1201 is_subtechnique: false technique: Password Policy Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1201 is_subtechnique: false technique: Password Policy Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1201 is_subtechnique: false technique: Password Policy Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1201 is_subtechnique: false technique: Password Policy Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1201 is_subtechnique: false technique: Password Policy Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1201 is_subtechnique: false technique: Password Policy Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1201 is_subtechnique: false technique: Password Policy Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1201 is_subtechnique: false technique: Password Policy Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1201 is_subtechnique: false technique: Password Policy Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1201 is_subtechnique: false technique: Password Policy Discovery tactic: - discovery platform: - Windows - Linux - macOS - IaaS - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1212 is_subtechnique: false technique: Exploitation for Credential Access tactic: - credential-access platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1212 is_subtechnique: false technique: Exploitation for Credential Access tactic: - credential-access platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1212 is_subtechnique: false technique: Exploitation for Credential Access tactic: - credential-access platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1212 is_subtechnique: false technique: Exploitation for Credential Access tactic: - credential-access platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1212 is_subtechnique: false technique: Exploitation for Credential Access tactic: - credential-access platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1212 is_subtechnique: false technique: Exploitation for Credential Access tactic: - credential-access platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1212 is_subtechnique: false technique: Exploitation for Credential Access tactic: - credential-access platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1212 is_subtechnique: false technique: Exploitation for Credential Access tactic: - credential-access platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1212 is_subtechnique: false technique: Exploitation for Credential Access tactic: - credential-access platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1212 is_subtechnique: false technique: Exploitation for Credential Access tactic: - credential-access platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1212 is_subtechnique: false technique: Exploitation for Credential Access tactic: - credential-access platform: - Linux - Windows - macOS data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1212 is_subtechnique: false technique: Exploitation for Credential Access tactic: - credential-access platform: - Linux - Windows - macOS data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1212 is_subtechnique: false technique: Exploitation for Credential Access tactic: - credential-access platform: - Linux - Windows - macOS data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1212 is_subtechnique: false technique: Exploitation for Credential Access tactic: - credential-access platform: - Linux - Windows - macOS data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1212 is_subtechnique: false technique: Exploitation for Credential Access tactic: - credential-access platform: - Linux - Windows - macOS data_source: user account data_component: user account authentication relationship_id: REL-2022-0122 name: User attempted to authenticate from Device source: user relationship: attempted to authenticate from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1212 is_subtechnique: false technique: Exploitation for Credential Access tactic: - credential-access platform: - Linux - Windows - macOS data_source: user account data_component: user account authentication relationship_id: REL-2022-0163 name: User authenticated from Device source: user relationship: authenticated from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1212 is_subtechnique: false technique: Exploitation for Credential Access tactic: - credential-access platform: - Linux - Windows - macOS data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1212 is_subtechnique: false technique: Exploitation for Credential Access tactic: - credential-access platform: - Linux - Windows - macOS data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1212 is_subtechnique: false technique: Exploitation for Credential Access tactic: - credential-access platform: - Linux - Windows - macOS data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1212 is_subtechnique: false technique: Exploitation for Credential Access tactic: - credential-access platform: - Linux - Windows - macOS data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1203 is_subtechnique: false technique: Exploitation for Client Execution tactic: - execution platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1203 is_subtechnique: false technique: Exploitation for Client Execution tactic: - execution platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1203 is_subtechnique: false technique: Exploitation for Client Execution tactic: - execution platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1203 is_subtechnique: false technique: Exploitation for Client Execution tactic: - execution platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1203 is_subtechnique: false technique: Exploitation for Client Execution tactic: - execution platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1203 is_subtechnique: false technique: Exploitation for Client Execution tactic: - execution platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1203 is_subtechnique: false technique: Exploitation for Client Execution tactic: - execution platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1203 is_subtechnique: false technique: Exploitation for Client Execution tactic: - execution platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1203 is_subtechnique: false technique: Exploitation for Client Execution tactic: - execution platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1203 is_subtechnique: false technique: Exploitation for Client Execution tactic: - execution platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: service data_component: service metadata relationship_id: REL-2022-0094 name: Service stopped source: service relationship: stopped target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: service data_component: service metadata relationship_id: REL-2022-0094 name: Service stopped source: service relationship: stopped target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: service data_component: service metadata relationship_id: REL-2022-0184 name: Service started source: service relationship: started target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: service data_component: service metadata relationship_id: REL-2022-0184 name: Service started source: service relationship: started target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1197 is_subtechnique: .nan technique: BITS Jobs tactic: - defense-evasion - persistence platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1189 is_subtechnique: .nan technique: Drive-by Compromise tactic: - initial-access platform: - Windows - Linux - macOS - SaaS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1211 is_subtechnique: false technique: Exploitation for Defense Evasion tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1211 is_subtechnique: false technique: Exploitation for Defense Evasion tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1211 is_subtechnique: false technique: Exploitation for Defense Evasion tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1211 is_subtechnique: false technique: Exploitation for Defense Evasion tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1211 is_subtechnique: false technique: Exploitation for Defense Evasion tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1211 is_subtechnique: false technique: Exploitation for Defense Evasion tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1211 is_subtechnique: false technique: Exploitation for Defense Evasion tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1211 is_subtechnique: false technique: Exploitation for Defense Evasion tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1211 is_subtechnique: false technique: Exploitation for Defense Evasion tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1211 is_subtechnique: false technique: Exploitation for Defense Evasion tactic: - defense-evasion platform: - Linux - Windows - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1204 is_subtechnique: false technique: User Execution tactic: - execution platform: - Linux - Windows - macOS - IaaS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1185 is_subtechnique: .nan technique: Browser Session Hijacking tactic: - collection platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1185 is_subtechnique: .nan technique: Browser Session Hijacking tactic: - collection platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1185 is_subtechnique: .nan technique: Browser Session Hijacking tactic: - collection platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1185 is_subtechnique: .nan technique: Browser Session Hijacking tactic: - collection platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '10' event_name: Process Access. event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1185 is_subtechnique: .nan technique: Browser Session Hijacking tactic: - collection platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1185 is_subtechnique: .nan technique: Browser Session Hijacking tactic: - collection platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '10' event_name: ProcessAccess event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1185 is_subtechnique: .nan technique: Browser Session Hijacking tactic: - collection platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1185 is_subtechnique: .nan technique: Browser Session Hijacking tactic: - collection platform: - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1185 is_subtechnique: .nan technique: Browser Session Hijacking tactic: - collection platform: - Windows data_source: process data_component: process modification relationship_id: REL-2022-0143 name: Process modified Process source: process relationship: modified target: process event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1185 is_subtechnique: .nan technique: Browser Session Hijacking tactic: - collection platform: - Windows data_source: process data_component: process modification relationship_id: REL-2022-0143 name: Process modified Process source: process relationship: modified target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1185 is_subtechnique: .nan technique: Browser Session Hijacking tactic: - collection platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1185 is_subtechnique: .nan technique: Browser Session Hijacking tactic: - collection platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1185 is_subtechnique: .nan technique: Browser Session Hijacking tactic: - collection platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1185 is_subtechnique: .nan technique: Browser Session Hijacking tactic: - collection platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1185 is_subtechnique: .nan technique: Browser Session Hijacking tactic: - collection platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1185 is_subtechnique: .nan technique: Browser Session Hijacking tactic: - collection platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1185 is_subtechnique: .nan technique: Browser Session Hijacking tactic: - collection platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1185 is_subtechnique: .nan technique: Browser Session Hijacking tactic: - collection platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1185 is_subtechnique: .nan technique: Browser Session Hijacking tactic: - collection platform: - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1187 is_subtechnique: .nan technique: Forced Authentication tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1187 is_subtechnique: .nan technique: Forced Authentication tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1187 is_subtechnique: .nan technique: Forced Authentication tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1187 is_subtechnique: .nan technique: Forced Authentication tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1187 is_subtechnique: .nan technique: Forced Authentication tactic: - credential-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1187 is_subtechnique: .nan technique: Forced Authentication tactic: - credential-access platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1187 is_subtechnique: .nan technique: Forced Authentication tactic: - credential-access platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1187 is_subtechnique: .nan technique: Forced Authentication tactic: - credential-access platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1187 is_subtechnique: .nan technique: Forced Authentication tactic: - credential-access platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1187 is_subtechnique: .nan technique: Forced Authentication tactic: - credential-access platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1187 is_subtechnique: .nan technique: Forced Authentication tactic: - credential-access platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1187 is_subtechnique: .nan technique: Forced Authentication tactic: - credential-access platform: - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1187 is_subtechnique: .nan technique: Forced Authentication tactic: - credential-access platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1187 is_subtechnique: .nan technique: Forced Authentication tactic: - credential-access platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1187 is_subtechnique: .nan technique: Forced Authentication tactic: - credential-access platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1187 is_subtechnique: .nan technique: Forced Authentication tactic: - credential-access platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1187 is_subtechnique: .nan technique: Forced Authentication tactic: - credential-access platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1176 is_subtechnique: false technique: Browser Extensions tactic: - persistence platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: New registry value created - technique_id: T1140 is_subtechnique: false technique: Deobfuscate/Decode Files or Information tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1140 is_subtechnique: false technique: Deobfuscate/Decode Files or Information tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1140 is_subtechnique: false technique: Deobfuscate/Decode Files or Information tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1140 is_subtechnique: false technique: Deobfuscate/Decode Files or Information tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1140 is_subtechnique: false technique: Deobfuscate/Decode Files or Information tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1140 is_subtechnique: false technique: Deobfuscate/Decode Files or Information tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1140 is_subtechnique: false technique: Deobfuscate/Decode Files or Information tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1140 is_subtechnique: false technique: Deobfuscate/Decode Files or Information tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1140 is_subtechnique: false technique: Deobfuscate/Decode Files or Information tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1140 is_subtechnique: false technique: Deobfuscate/Decode Files or Information tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1140 is_subtechnique: false technique: Deobfuscate/Decode Files or Information tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1140 is_subtechnique: false technique: Deobfuscate/Decode Files or Information tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1140 is_subtechnique: false technique: Deobfuscate/Decode Files or Information tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1140 is_subtechnique: false technique: Deobfuscate/Decode Files or Information tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1140 is_subtechnique: false technique: Deobfuscate/Decode Files or Information tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1140 is_subtechnique: false technique: Deobfuscate/Decode Files or Information tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1140 is_subtechnique: false technique: Deobfuscate/Decode Files or Information tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1140 is_subtechnique: false technique: Deobfuscate/Decode Files or Information tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1140 is_subtechnique: false technique: Deobfuscate/Decode Files or Information tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1140 is_subtechnique: false technique: Deobfuscate/Decode Files or Information tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1140 is_subtechnique: false technique: Deobfuscate/Decode Files or Information tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1140 is_subtechnique: false technique: Deobfuscate/Decode Files or Information tactic: - defense-evasion platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1135 is_subtechnique: .nan technique: Network Share Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1135 is_subtechnique: .nan technique: Network Share Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1135 is_subtechnique: .nan technique: Network Share Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1135 is_subtechnique: .nan technique: Network Share Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1135 is_subtechnique: .nan technique: Network Share Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1135 is_subtechnique: .nan technique: Network Share Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1135 is_subtechnique: .nan technique: Network Share Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1135 is_subtechnique: .nan technique: Network Share Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1135 is_subtechnique: .nan technique: Network Share Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1135 is_subtechnique: .nan technique: Network Share Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1135 is_subtechnique: .nan technique: Network Share Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1135 is_subtechnique: .nan technique: Network Share Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1135 is_subtechnique: .nan technique: Network Share Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1135 is_subtechnique: .nan technique: Network Share Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1135 is_subtechnique: .nan technique: Network Share Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1135 is_subtechnique: .nan technique: Network Share Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1135 is_subtechnique: .nan technique: Network Share Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1135 is_subtechnique: .nan technique: Network Share Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1135 is_subtechnique: .nan technique: Network Share Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1135 is_subtechnique: .nan technique: Network Share Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1135 is_subtechnique: .nan technique: Network Share Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: New registry value created - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1137 is_subtechnique: .nan technique: Office Application Startup tactic: - persistence platform: - Windows - Office 365 data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1134 is_subtechnique: false technique: Access Token Manipulation tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process metadata relationship_id: REL-2022-0029 name: Process terminated source: process relationship: terminated target: null event_id: '5' event_name: Process terminated. event_platform: windows audit_category: ProcessTerminate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1134 is_subtechnique: false technique: Access Token Manipulation tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process metadata relationship_id: REL-2022-0073 name: Process searched LDAP source: process relationship: searched target: ldap event_id: '30' event_name: EventID(30) event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-LDAP-Client/Debug filter_in: .nan - technique_id: T1134 is_subtechnique: false technique: Access Token Manipulation tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process metadata relationship_id: REL-2022-0073 name: Process searched LDAP source: process relationship: searched target: ldap event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LdapSearch - technique_id: T1134 is_subtechnique: false technique: Access Token Manipulation tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1134 is_subtechnique: false technique: Access Token Manipulation tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1134 is_subtechnique: false technique: Access Token Manipulation tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1134 is_subtechnique: false technique: Access Token Manipulation tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1134 is_subtechnique: false technique: Access Token Manipulation tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1134 is_subtechnique: false technique: Access Token Manipulation tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1134 is_subtechnique: false technique: Access Token Manipulation tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1134 is_subtechnique: false technique: Access Token Manipulation tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1134 is_subtechnique: false technique: Access Token Manipulation tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1134 is_subtechnique: false technique: Access Token Manipulation tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1134 is_subtechnique: false technique: Access Token Manipulation tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5136' event_name: A directory service object was modified. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1134 is_subtechnique: false technique: Access Token Manipulation tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5139' event_name: A directory service object was moved. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1134 is_subtechnique: false technique: Access Token Manipulation tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '4719' event_name: System audit policy was changed. event_platform: windows audit_category: Policy Change audit_sub_category: Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1134 is_subtechnique: false technique: Access Token Manipulation tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1134 is_subtechnique: false technique: Access Token Manipulation tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1134 is_subtechnique: false technique: Access Token Manipulation tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1134 is_subtechnique: false technique: Access Token Manipulation tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1134 is_subtechnique: false technique: Access Token Manipulation tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1134 is_subtechnique: false technique: Access Token Manipulation tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1134 is_subtechnique: false technique: Access Token Manipulation tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1134 is_subtechnique: false technique: Access Token Manipulation tactic: - defense-evasion - privilege-escalation platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1136 is_subtechnique: .nan technique: Create Account tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1136 is_subtechnique: .nan technique: Create Account tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1136 is_subtechnique: .nan technique: Create Account tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1136 is_subtechnique: .nan technique: Create Account tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1136 is_subtechnique: .nan technique: Create Account tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1136 is_subtechnique: .nan technique: Create Account tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1136 is_subtechnique: .nan technique: Create Account tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1136 is_subtechnique: .nan technique: Create Account tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1136 is_subtechnique: .nan technique: Create Account tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1136 is_subtechnique: .nan technique: Create Account tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace data_source: user account data_component: user account creation relationship_id: REL-2022-0002 name: User created User source: user relationship: created target: user event_id: '4720' event_name: A user account was created. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1136 is_subtechnique: .nan technique: Create Account tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace data_source: user account data_component: user account creation relationship_id: REL-2022-0002 name: User created User source: user relationship: created target: user event_id: '4741' event_name: A computer account was created. event_platform: windows audit_category: Account Management audit_sub_category: Computer Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1136 is_subtechnique: .nan technique: Create Account tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace data_source: user account data_component: user account creation relationship_id: REL-2022-0002 name: User created User source: user relationship: created target: user event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: UserAccountCreated - technique_id: T1136 is_subtechnique: .nan technique: Create Account tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1136 is_subtechnique: .nan technique: Create Account tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1136 is_subtechnique: .nan technique: Create Account tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1136 is_subtechnique: .nan technique: Create Account tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1136 is_subtechnique: .nan technique: Create Account tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1136 is_subtechnique: .nan technique: Create Account tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1136 is_subtechnique: .nan technique: Create Account tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1136 is_subtechnique: .nan technique: Create Account tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1136 is_subtechnique: .nan technique: Create Account tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1136 is_subtechnique: .nan technique: Create Account tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1133 is_subtechnique: .nan technique: External Remote Services tactic: - persistence - initial-access platform: - Windows - Linux - Containers - macOS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4703' event_name: A token right was adjusted. event_platform: windows audit_category: Policy Change audit_sub_category: Authorization Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1133 is_subtechnique: .nan technique: External Remote Services tactic: - persistence - initial-access platform: - Windows - Linux - Containers - macOS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4673' event_name: A privileged service was called. event_platform: windows audit_category: Privilege Use audit_sub_category: Sensitive Privilege Use channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1133 is_subtechnique: .nan technique: External Remote Services tactic: - persistence - initial-access platform: - Windows - Linux - Containers - macOS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4674' event_name: An operation was attempted on a privileged object. event_platform: windows audit_category: Privilege Use audit_sub_category: Sensitive Privilege Use channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1133 is_subtechnique: .nan technique: External Remote Services tactic: - persistence - initial-access platform: - Windows - Linux - Containers - macOS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4610' event_name: An authentication package has been loaded by the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1133 is_subtechnique: .nan technique: External Remote Services tactic: - persistence - initial-access platform: - Windows - Linux - Containers - macOS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4611' event_name: A trusted logon process has been registered with the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1133 is_subtechnique: .nan technique: External Remote Services tactic: - persistence - initial-access platform: - Windows - Linux - Containers - macOS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4614' event_name: A notification package has been loaded by the Security Account Manager. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1133 is_subtechnique: .nan technique: External Remote Services tactic: - persistence - initial-access platform: - Windows - Linux - Containers - macOS data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4622' event_name: A security package has been loaded by the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1129 is_subtechnique: false technique: Shared Modules tactic: - execution platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1129 is_subtechnique: false technique: Shared Modules tactic: - execution platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1129 is_subtechnique: false technique: Shared Modules tactic: - execution platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1129 is_subtechnique: false technique: Shared Modules tactic: - execution platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1129 is_subtechnique: false technique: Shared Modules tactic: - execution platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1129 is_subtechnique: false technique: Shared Modules tactic: - execution platform: - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1127 is_subtechnique: false technique: Trusted Developer Utilities Proxy Execution tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1127 is_subtechnique: false technique: Trusted Developer Utilities Proxy Execution tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1127 is_subtechnique: false technique: Trusted Developer Utilities Proxy Execution tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1127 is_subtechnique: false technique: Trusted Developer Utilities Proxy Execution tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1127 is_subtechnique: false technique: Trusted Developer Utilities Proxy Execution tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1127 is_subtechnique: false technique: Trusted Developer Utilities Proxy Execution tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1127 is_subtechnique: false technique: Trusted Developer Utilities Proxy Execution tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1127 is_subtechnique: false technique: Trusted Developer Utilities Proxy Execution tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1127 is_subtechnique: false technique: Trusted Developer Utilities Proxy Execution tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1127 is_subtechnique: false technique: Trusted Developer Utilities Proxy Execution tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1127 is_subtechnique: false technique: Trusted Developer Utilities Proxy Execution tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1127 is_subtechnique: false technique: Trusted Developer Utilities Proxy Execution tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1127 is_subtechnique: false technique: Trusted Developer Utilities Proxy Execution tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1127 is_subtechnique: false technique: Trusted Developer Utilities Proxy Execution tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1127 is_subtechnique: false technique: Trusted Developer Utilities Proxy Execution tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1127 is_subtechnique: false technique: Trusted Developer Utilities Proxy Execution tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1125 is_subtechnique: .nan technique: Video Capture tactic: - collection platform: - Windows - macOS - Linux data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1125 is_subtechnique: .nan technique: Video Capture tactic: - collection platform: - Windows - macOS - Linux data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1125 is_subtechnique: .nan technique: Video Capture tactic: - collection platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1125 is_subtechnique: .nan technique: Video Capture tactic: - collection platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1125 is_subtechnique: .nan technique: Video Capture tactic: - collection platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1125 is_subtechnique: .nan technique: Video Capture tactic: - collection platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1125 is_subtechnique: .nan technique: Video Capture tactic: - collection platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1125 is_subtechnique: .nan technique: Video Capture tactic: - collection platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1125 is_subtechnique: .nan technique: Video Capture tactic: - collection platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1125 is_subtechnique: .nan technique: Video Capture tactic: - collection platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1125 is_subtechnique: .nan technique: Video Capture tactic: - collection platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1124 is_subtechnique: .nan technique: System Time Discovery tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1124 is_subtechnique: .nan technique: System Time Discovery tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1124 is_subtechnique: .nan technique: System Time Discovery tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1124 is_subtechnique: .nan technique: System Time Discovery tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1124 is_subtechnique: .nan technique: System Time Discovery tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1124 is_subtechnique: .nan technique: System Time Discovery tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1124 is_subtechnique: .nan technique: System Time Discovery tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1124 is_subtechnique: .nan technique: System Time Discovery tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1124 is_subtechnique: .nan technique: System Time Discovery tactic: - discovery platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1124 is_subtechnique: .nan technique: System Time Discovery tactic: - discovery platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1124 is_subtechnique: .nan technique: System Time Discovery tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1124 is_subtechnique: .nan technique: System Time Discovery tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1124 is_subtechnique: .nan technique: System Time Discovery tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1124 is_subtechnique: .nan technique: System Time Discovery tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1124 is_subtechnique: .nan technique: System Time Discovery tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1124 is_subtechnique: .nan technique: System Time Discovery tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1124 is_subtechnique: .nan technique: System Time Discovery tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1124 is_subtechnique: .nan technique: System Time Discovery tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1123 is_subtechnique: .nan technique: Audio Capture tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1123 is_subtechnique: .nan technique: Audio Capture tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1123 is_subtechnique: .nan technique: Audio Capture tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1123 is_subtechnique: .nan technique: Audio Capture tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1123 is_subtechnique: .nan technique: Audio Capture tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1123 is_subtechnique: .nan technique: Audio Capture tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1123 is_subtechnique: .nan technique: Audio Capture tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1123 is_subtechnique: .nan technique: Audio Capture tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1123 is_subtechnique: .nan technique: Audio Capture tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1123 is_subtechnique: .nan technique: Audio Capture tactic: - collection platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1123 is_subtechnique: .nan technique: Audio Capture tactic: - collection platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1120 is_subtechnique: .nan technique: Peripheral Device Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1120 is_subtechnique: .nan technique: Peripheral Device Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1120 is_subtechnique: .nan technique: Peripheral Device Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1120 is_subtechnique: .nan technique: Peripheral Device Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1120 is_subtechnique: .nan technique: Peripheral Device Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1120 is_subtechnique: .nan technique: Peripheral Device Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1120 is_subtechnique: .nan technique: Peripheral Device Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1120 is_subtechnique: .nan technique: Peripheral Device Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1120 is_subtechnique: .nan technique: Peripheral Device Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1120 is_subtechnique: .nan technique: Peripheral Device Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1120 is_subtechnique: .nan technique: Peripheral Device Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1120 is_subtechnique: .nan technique: Peripheral Device Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1120 is_subtechnique: .nan technique: Peripheral Device Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1120 is_subtechnique: .nan technique: Peripheral Device Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1120 is_subtechnique: .nan technique: Peripheral Device Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1120 is_subtechnique: .nan technique: Peripheral Device Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1120 is_subtechnique: .nan technique: Peripheral Device Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1120 is_subtechnique: .nan technique: Peripheral Device Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1120 is_subtechnique: .nan technique: Peripheral Device Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1120 is_subtechnique: .nan technique: Peripheral Device Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1120 is_subtechnique: .nan technique: Peripheral Device Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1119 is_subtechnique: false technique: Automated Collection tactic: - collection platform: - Linux - macOS - Windows - IaaS - SaaS data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1119 is_subtechnique: false technique: Automated Collection tactic: - collection platform: - Linux - macOS - Windows - IaaS - SaaS data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1119 is_subtechnique: false technique: Automated Collection tactic: - collection platform: - Linux - macOS - Windows - IaaS - SaaS data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1119 is_subtechnique: false technique: Automated Collection tactic: - collection platform: - Linux - macOS - Windows - IaaS - SaaS data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1119 is_subtechnique: false technique: Automated Collection tactic: - collection platform: - Linux - macOS - Windows - IaaS - SaaS data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1119 is_subtechnique: false technique: Automated Collection tactic: - collection platform: - Linux - macOS - Windows - IaaS - SaaS data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1119 is_subtechnique: false technique: Automated Collection tactic: - collection platform: - Linux - macOS - Windows - IaaS - SaaS data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1119 is_subtechnique: false technique: Automated Collection tactic: - collection platform: - Linux - macOS - Windows - IaaS - SaaS data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1119 is_subtechnique: false technique: Automated Collection tactic: - collection platform: - Linux - macOS - Windows - IaaS - SaaS data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1119 is_subtechnique: false technique: Automated Collection tactic: - collection platform: - Linux - macOS - Windows - IaaS - SaaS data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1119 is_subtechnique: false technique: Automated Collection tactic: - collection platform: - Linux - macOS - Windows - IaaS - SaaS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1119 is_subtechnique: false technique: Automated Collection tactic: - collection platform: - Linux - macOS - Windows - IaaS - SaaS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1119 is_subtechnique: false technique: Automated Collection tactic: - collection platform: - Linux - macOS - Windows - IaaS - SaaS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1119 is_subtechnique: false technique: Automated Collection tactic: - collection platform: - Linux - macOS - Windows - IaaS - SaaS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1119 is_subtechnique: false technique: Automated Collection tactic: - collection platform: - Linux - macOS - Windows - IaaS - SaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1119 is_subtechnique: false technique: Automated Collection tactic: - collection platform: - Linux - macOS - Windows - IaaS - SaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1119 is_subtechnique: false technique: Automated Collection tactic: - collection platform: - Linux - macOS - Windows - IaaS - SaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1119 is_subtechnique: false technique: Automated Collection tactic: - collection platform: - Linux - macOS - Windows - IaaS - SaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1119 is_subtechnique: false technique: Automated Collection tactic: - collection platform: - Linux - macOS - Windows - IaaS - SaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1115 is_subtechnique: .nan technique: Clipboard Data tactic: - collection platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1115 is_subtechnique: .nan technique: Clipboard Data tactic: - collection platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1115 is_subtechnique: .nan technique: Clipboard Data tactic: - collection platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1115 is_subtechnique: .nan technique: Clipboard Data tactic: - collection platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1115 is_subtechnique: .nan technique: Clipboard Data tactic: - collection platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1115 is_subtechnique: .nan technique: Clipboard Data tactic: - collection platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1115 is_subtechnique: .nan technique: Clipboard Data tactic: - collection platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1115 is_subtechnique: .nan technique: Clipboard Data tactic: - collection platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1115 is_subtechnique: .nan technique: Clipboard Data tactic: - collection platform: - Linux - Windows - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1115 is_subtechnique: .nan technique: Clipboard Data tactic: - collection platform: - Linux - Windows - macOS data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1115 is_subtechnique: .nan technique: Clipboard Data tactic: - collection platform: - Linux - Windows - macOS data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1114 is_subtechnique: .nan technique: Email Collection tactic: - collection platform: - Windows - Office 365 - Google Workspace - macOS - Linux data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1113 is_subtechnique: .nan technique: Screen Capture tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1113 is_subtechnique: .nan technique: Screen Capture tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1113 is_subtechnique: .nan technique: Screen Capture tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1113 is_subtechnique: .nan technique: Screen Capture tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1113 is_subtechnique: .nan technique: Screen Capture tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1113 is_subtechnique: .nan technique: Screen Capture tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1113 is_subtechnique: .nan technique: Screen Capture tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1113 is_subtechnique: .nan technique: Screen Capture tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1113 is_subtechnique: .nan technique: Screen Capture tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1113 is_subtechnique: .nan technique: Screen Capture tactic: - collection platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1113 is_subtechnique: .nan technique: Screen Capture tactic: - collection platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0102 name: Process deleted Registry source: process relationship: deleted target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0102 name: Process deleted Registry source: process relationship: deleted target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueDeleted - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0102 name: Process deleted Registry source: process relationship: deleted target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyDeleted - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0102 name: Process deleted Registry source: process relationship: deleted target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ActionType: Registry value deleted - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0102 name: Process deleted Registry source: process relationship: deleted target: registry event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0130 name: User deleted Registry source: user relationship: deleted target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0130 name: User deleted Registry source: user relationship: deleted target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueDeleted - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0130 name: User deleted Registry source: user relationship: deleted target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyDeleted - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0130 name: User deleted Registry source: user relationship: deleted target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Registry value deleted - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0130 name: User deleted Registry source: user relationship: deleted target: registry event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: New registry value created - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1112 is_subtechnique: .nan technique: Modify Registry tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1111 is_subtechnique: .nan technique: Multi-Factor Authentication Interception tactic: - credential-access platform: - Linux - Windows - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1111 is_subtechnique: .nan technique: Multi-Factor Authentication Interception tactic: - credential-access platform: - Linux - Windows - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1111 is_subtechnique: .nan technique: Multi-Factor Authentication Interception tactic: - credential-access platform: - Linux - Windows - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1111 is_subtechnique: .nan technique: Multi-Factor Authentication Interception tactic: - credential-access platform: - Linux - Windows - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1111 is_subtechnique: .nan technique: Multi-Factor Authentication Interception tactic: - credential-access platform: - Linux - Windows - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1111 is_subtechnique: .nan technique: Multi-Factor Authentication Interception tactic: - credential-access platform: - Linux - Windows - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1111 is_subtechnique: .nan technique: Multi-Factor Authentication Interception tactic: - credential-access platform: - Linux - Windows - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1111 is_subtechnique: .nan technique: Multi-Factor Authentication Interception tactic: - credential-access platform: - Linux - Windows - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1111 is_subtechnique: .nan technique: Multi-Factor Authentication Interception tactic: - credential-access platform: - Linux - Windows - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1111 is_subtechnique: .nan technique: Multi-Factor Authentication Interception tactic: - credential-access platform: - Linux - Windows - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1111 is_subtechnique: .nan technique: Multi-Factor Authentication Interception tactic: - credential-access platform: - Linux - Windows - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1111 is_subtechnique: .nan technique: Multi-Factor Authentication Interception tactic: - credential-access platform: - Linux - Windows - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1111 is_subtechnique: .nan technique: Multi-Factor Authentication Interception tactic: - credential-access platform: - Linux - Windows - macOS data_source: driver data_component: driver load relationship_id: REL-2022-0126 name: Driver loaded source: driver relationship: loaded target: null event_id: '6' event_name: Driver loaded. event_platform: windows audit_category: DriverLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1111 is_subtechnique: .nan technique: Multi-Factor Authentication Interception tactic: - credential-access platform: - Linux - Windows - macOS data_source: driver data_component: driver load relationship_id: REL-2022-0126 name: Driver loaded source: driver relationship: loaded target: null event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: DriverLoaded - technique_id: T1111 is_subtechnique: .nan technique: Multi-Factor Authentication Interception tactic: - credential-access platform: - Linux - Windows - macOS data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1111 is_subtechnique: .nan technique: Multi-Factor Authentication Interception tactic: - credential-access platform: - Linux - Windows - macOS data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1110 is_subtechnique: false technique: Brute Force tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110 is_subtechnique: false technique: Brute Force tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1110 is_subtechnique: false technique: Brute Force tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1110 is_subtechnique: false technique: Brute Force tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1110 is_subtechnique: false technique: Brute Force tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110 is_subtechnique: false technique: Brute Force tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1110 is_subtechnique: false technique: Brute Force tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1110 is_subtechnique: false technique: Brute Force tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1110 is_subtechnique: false technique: Brute Force tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1110 is_subtechnique: false technique: Brute Force tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110 is_subtechnique: false technique: Brute Force tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110 is_subtechnique: false technique: Brute Force tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110 is_subtechnique: false technique: Brute Force tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1110 is_subtechnique: false technique: Brute Force tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0122 name: User attempted to authenticate from Device source: user relationship: attempted to authenticate from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110 is_subtechnique: false technique: Brute Force tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0163 name: User authenticated from Device source: user relationship: authenticated from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110 is_subtechnique: false technique: Brute Force tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110 is_subtechnique: false technique: Brute Force tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110 is_subtechnique: false technique: Brute Force tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1110 is_subtechnique: false technique: Brute Force tactic: - credential-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1106 is_subtechnique: false technique: Native API tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1106 is_subtechnique: false technique: Native API tactic: - execution platform: - Windows - macOS - Linux data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1106 is_subtechnique: false technique: Native API tactic: - execution platform: - Windows - macOS - Linux data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1106 is_subtechnique: false technique: Native API tactic: - execution platform: - Windows - macOS - Linux data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1106 is_subtechnique: false technique: Native API tactic: - execution platform: - Windows - macOS - Linux data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1106 is_subtechnique: false technique: Native API tactic: - execution platform: - Windows - macOS - Linux data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1105 is_subtechnique: false technique: Ingress Tool Transfer tactic: - command-and-control platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1104 is_subtechnique: .nan technique: Multi-Stage Channels tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1102 is_subtechnique: .nan technique: Web Service tactic: - command-and-control platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0003 name: User modified User source: user relationship: modified target: user event_id: '4738' event_name: A user account was changed. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0003 name: User modified User source: user relationship: modified target: user event_id: '4781' event_name: The name of an account was changed. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0003 name: User modified User source: user relationship: modified target: user event_id: '4742' event_name: A computer account was changed. event_platform: windows audit_category: Account Management audit_sub_category: Computer Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0003 name: User modified User source: user relationship: modified target: user event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: UserAccountModified - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0009 name: User locked User source: user relationship: locked target: user event_id: '4740' event_name: A user account was locked out. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0019 name: User unlocked User source: user relationship: unlocked target: user event_id: '4767' event_name: A user account was unlocked. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0024 name: User enabled User source: user relationship: enabled target: user event_id: '4722' event_name: A user account was enabled. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0024 name: User enabled User source: user relationship: enabled target: user event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: UserAccountModified - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0042 name: User granted acess to User source: user relationship: granted access to target: user event_id: '4717' event_name: System security access was granted to an account. event_platform: windows audit_category: Policy Change audit_sub_category: Authentication Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0083 name: User removed acess from User source: user relationship: removed access from target: user event_id: '4718' event_name: System security access was removed from an account. event_platform: windows audit_category: Policy Change audit_sub_category: Authentication Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0109 name: User disabled User source: user relationship: disabled target: user event_id: '4725' event_name: A user account was disabled. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0109 name: User disabled User source: user relationship: disabled target: user event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: UserAccountModified - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0133 name: User attempted to modify User source: user relationship: attempted to modify target: user event_id: '4723' event_name: An attempt was made to change an account's password. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: user account data_component: user account modification relationship_id: REL-2022-0133 name: User attempted to modify User source: user relationship: attempted to modify target: user event_id: '4724' event_name: An attempt was made to reset an account's password. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: group data_component: group modification relationship_id: REL-2022-0185 name: User modified Group source: user relationship: modified target: group event_id: '4728' event_name: A member was added to a security-enabled global group. event_platform: windows audit_category: Account Management audit_sub_category: Security Group Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: group data_component: group modification relationship_id: REL-2022-0185 name: User modified Group source: user relationship: modified target: group event_id: '4729' event_name: A member was removed from a security-enabled global group. event_platform: windows audit_category: Account Management audit_sub_category: Security Group Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: group data_component: group modification relationship_id: REL-2022-0185 name: User modified Group source: user relationship: modified target: group event_id: '4732' event_name: A member was added to a security-enabled local group. event_platform: windows audit_category: Account Management audit_sub_category: Security Group Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: group data_component: group modification relationship_id: REL-2022-0185 name: User modified Group source: user relationship: modified target: group event_id: '4733' event_name: A member was removed from a security-enabled local group. event_platform: windows audit_category: Account Management audit_sub_category: Security Group Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: group data_component: group modification relationship_id: REL-2022-0185 name: User modified Group source: user relationship: modified target: group event_id: '4735' event_name: A security-enabled local group was changed. event_platform: windows audit_category: Account Management audit_sub_category: Security Group Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: group data_component: group modification relationship_id: REL-2022-0185 name: User modified Group source: user relationship: modified target: group event_id: '4737' event_name: A security-enabled global group was changed. event_platform: windows audit_category: Account Management audit_sub_category: Security Group Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: group data_component: group modification relationship_id: REL-2022-0185 name: User modified Group source: user relationship: modified target: group event_id: '4755' event_name: A security-enabled universal group was changed. event_platform: windows audit_category: Account Management audit_sub_category: Security Group Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: group data_component: group modification relationship_id: REL-2022-0185 name: User modified Group source: user relationship: modified target: group event_id: '4756' event_name: A member was added to a security-enabled universal group. event_platform: windows audit_category: Account Management audit_sub_category: Security Group Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: group data_component: group modification relationship_id: REL-2022-0185 name: User modified Group source: user relationship: modified target: group event_id: '4757' event_name: A member was removed from a security-enabled universal group. event_platform: windows audit_category: Account Management audit_sub_category: Security Group Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: group data_component: group modification relationship_id: REL-2022-0185 name: User modified Group source: user relationship: modified target: group event_id: '4764' event_name: A groups type was changed. event_platform: windows audit_category: Account Management audit_sub_category: Security Group Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5136' event_name: A directory service object was modified. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5139' event_name: A directory service object was moved. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '4719' event_name: System audit policy was changed. event_platform: windows audit_category: Policy Change audit_sub_category: Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1098 is_subtechnique: false technique: Account Manipulation tactic: - persistence platform: - Windows - Azure AD - Office 365 - IaaS - Linux - macOS - Google Workspace - SaaS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1092 is_subtechnique: .nan technique: Communication Through Removable Media tactic: - command-and-control platform: - Linux - macOS - Windows data_source: drive data_component: drive creation relationship_id: REL-2022-0069 name: User attempted to install Drive source: user relationship: attempted to install target: drive event_id: '6423' event_name: The installation of this device is forbidden by system policy. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1092 is_subtechnique: .nan technique: Communication Through Removable Media tactic: - command-and-control platform: - Linux - macOS - Windows data_source: drive data_component: drive creation relationship_id: REL-2022-0114 name: User installed Drive source: user relationship: installed target: drive event_id: '6416' event_name: A new external device was recognized by the system. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1092 is_subtechnique: .nan technique: Communication Through Removable Media tactic: - command-and-control platform: - Linux - macOS - Windows data_source: drive data_component: drive creation relationship_id: REL-2022-0114 name: User installed Drive source: user relationship: installed target: drive event_id: '6424' event_name: The installation of this device was allowed, after having previously been forbidden by policy. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1091 is_subtechnique: .nan technique: Replication Through Removable Media tactic: - lateral-movement - initial-access platform: - Windows data_source: drive data_component: drive creation relationship_id: REL-2022-0069 name: User attempted to install Drive source: user relationship: attempted to install target: drive event_id: '6423' event_name: The installation of this device is forbidden by system policy. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1091 is_subtechnique: .nan technique: Replication Through Removable Media tactic: - lateral-movement - initial-access platform: - Windows data_source: drive data_component: drive creation relationship_id: REL-2022-0114 name: User installed Drive source: user relationship: installed target: drive event_id: '6416' event_name: A new external device was recognized by the system. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1091 is_subtechnique: .nan technique: Replication Through Removable Media tactic: - lateral-movement - initial-access platform: - Windows data_source: drive data_component: drive creation relationship_id: REL-2022-0114 name: User installed Drive source: user relationship: installed target: drive event_id: '6424' event_name: The installation of this device was allowed, after having previously been forbidden by policy. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1091 is_subtechnique: .nan technique: Replication Through Removable Media tactic: - lateral-movement - initial-access platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1091 is_subtechnique: .nan technique: Replication Through Removable Media tactic: - lateral-movement - initial-access platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1091 is_subtechnique: .nan technique: Replication Through Removable Media tactic: - lateral-movement - initial-access platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1091 is_subtechnique: .nan technique: Replication Through Removable Media tactic: - lateral-movement - initial-access platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1091 is_subtechnique: .nan technique: Replication Through Removable Media tactic: - lateral-movement - initial-access platform: - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1091 is_subtechnique: .nan technique: Replication Through Removable Media tactic: - lateral-movement - initial-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1091 is_subtechnique: .nan technique: Replication Through Removable Media tactic: - lateral-movement - initial-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1091 is_subtechnique: .nan technique: Replication Through Removable Media tactic: - lateral-movement - initial-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1091 is_subtechnique: .nan technique: Replication Through Removable Media tactic: - lateral-movement - initial-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1091 is_subtechnique: .nan technique: Replication Through Removable Media tactic: - lateral-movement - initial-access platform: - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1091 is_subtechnique: .nan technique: Replication Through Removable Media tactic: - lateral-movement - initial-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1091 is_subtechnique: .nan technique: Replication Through Removable Media tactic: - lateral-movement - initial-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1091 is_subtechnique: .nan technique: Replication Through Removable Media tactic: - lateral-movement - initial-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1091 is_subtechnique: .nan technique: Replication Through Removable Media tactic: - lateral-movement - initial-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1091 is_subtechnique: .nan technique: Replication Through Removable Media tactic: - lateral-movement - initial-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1091 is_subtechnique: .nan technique: Replication Through Removable Media tactic: - lateral-movement - initial-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1091 is_subtechnique: .nan technique: Replication Through Removable Media tactic: - lateral-movement - initial-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1091 is_subtechnique: .nan technique: Replication Through Removable Media tactic: - lateral-movement - initial-access platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1090 is_subtechnique: .nan technique: Proxy tactic: - command-and-control platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1087 is_subtechnique: .nan technique: Account Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1087 is_subtechnique: .nan technique: Account Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1087 is_subtechnique: .nan technique: Account Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1087 is_subtechnique: .nan technique: Account Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1087 is_subtechnique: .nan technique: Account Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1087 is_subtechnique: .nan technique: Account Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1087 is_subtechnique: .nan technique: Account Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1087 is_subtechnique: .nan technique: Account Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1087 is_subtechnique: .nan technique: Account Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1087 is_subtechnique: .nan technique: Account Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1087 is_subtechnique: .nan technique: Account Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1087 is_subtechnique: .nan technique: Account Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1087 is_subtechnique: .nan technique: Account Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1087 is_subtechnique: .nan technique: Account Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1087 is_subtechnique: .nan technique: Account Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1087 is_subtechnique: .nan technique: Account Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1087 is_subtechnique: .nan technique: Account Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1087 is_subtechnique: .nan technique: Account Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1087 is_subtechnique: .nan technique: Account Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1087 is_subtechnique: .nan technique: Account Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1087 is_subtechnique: .nan technique: Account Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1087 is_subtechnique: .nan technique: Account Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1087 is_subtechnique: .nan technique: Account Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1087 is_subtechnique: .nan technique: Account Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1083 is_subtechnique: false technique: File and Directory Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1083 is_subtechnique: false technique: File and Directory Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1083 is_subtechnique: false technique: File and Directory Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1083 is_subtechnique: false technique: File and Directory Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1083 is_subtechnique: false technique: File and Directory Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1083 is_subtechnique: false technique: File and Directory Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1083 is_subtechnique: false technique: File and Directory Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1083 is_subtechnique: false technique: File and Directory Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1083 is_subtechnique: false technique: File and Directory Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1083 is_subtechnique: false technique: File and Directory Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1083 is_subtechnique: false technique: File and Directory Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1083 is_subtechnique: false technique: File and Directory Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1083 is_subtechnique: false technique: File and Directory Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1083 is_subtechnique: false technique: File and Directory Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1083 is_subtechnique: false technique: File and Directory Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1083 is_subtechnique: false technique: File and Directory Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1083 is_subtechnique: false technique: File and Directory Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1083 is_subtechnique: false technique: File and Directory Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1083 is_subtechnique: false technique: File and Directory Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1083 is_subtechnique: false technique: File and Directory Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1083 is_subtechnique: false technique: File and Directory Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1082 is_subtechnique: false technique: System Information Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1082 is_subtechnique: false technique: System Information Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1082 is_subtechnique: false technique: System Information Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1082 is_subtechnique: false technique: System Information Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1082 is_subtechnique: false technique: System Information Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1082 is_subtechnique: false technique: System Information Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1082 is_subtechnique: false technique: System Information Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1082 is_subtechnique: false technique: System Information Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1082 is_subtechnique: false technique: System Information Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1082 is_subtechnique: false technique: System Information Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1082 is_subtechnique: false technique: System Information Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1082 is_subtechnique: false technique: System Information Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1082 is_subtechnique: false technique: System Information Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1082 is_subtechnique: false technique: System Information Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1082 is_subtechnique: false technique: System Information Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1082 is_subtechnique: false technique: System Information Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1082 is_subtechnique: false technique: System Information Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1082 is_subtechnique: false technique: System Information Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1082 is_subtechnique: false technique: System Information Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1082 is_subtechnique: false technique: System Information Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1082 is_subtechnique: false technique: System Information Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: network share data_component: network share access relationship_id: REL-2022-0078 name: User attempted to access Network Share source: user relationship: attempted to access target: network share event_id: '5140' event_name: A network share object was accessed. event_platform: windows audit_category: Object Access audit_sub_category: File Share channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: network share data_component: network share access relationship_id: REL-2022-0078 name: User attempted to access Network Share source: user relationship: attempted to access target: network share event_id: '5145' event_name: A network share object was checked to see whether client can be granted desired access. event_platform: windows audit_category: Object Access audit_sub_category: Detailed File Share channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1080 is_subtechnique: .nan technique: Taint Shared Content tactic: - lateral-movement platform: - Windows - Office 365 - SaaS - Linux - macOS data_source: network share data_component: network share access relationship_id: REL-2022-0078 name: User attempted to access Network Share source: user relationship: attempted to access target: network share event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4703' event_name: A token right was adjusted. event_platform: windows audit_category: Policy Change audit_sub_category: Authorization Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4673' event_name: A privileged service was called. event_platform: windows audit_category: Privilege Use audit_sub_category: Sensitive Privilege Use channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4674' event_name: An operation was attempted on a privileged object. event_platform: windows audit_category: Privilege Use audit_sub_category: Sensitive Privilege Use channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4610' event_name: An authentication package has been loaded by the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4611' event_name: A trusted logon process has been registered with the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4614' event_name: A notification package has been loaded by the Security Account Manager. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: logon session data_component: logon session metadata relationship_id: REL-2022-0050 name: Logon Metadata source: logon relationship: metadata target: null event_id: '4622' event_name: A security package has been loaded by the Local Security Authority. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0122 name: User attempted to authenticate from Device source: user relationship: attempted to authenticate from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0163 name: User authenticated from Device source: user relationship: authenticated from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1078 is_subtechnique: false technique: Valid Accounts tactic: - defense-evasion - persistence - privilege-escalation - initial-access platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1074 is_subtechnique: .nan technique: Data Staged tactic: - collection platform: - Windows - IaaS - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1072 is_subtechnique: .nan technique: Software Deployment Tools tactic: - execution - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1072 is_subtechnique: .nan technique: Software Deployment Tools tactic: - execution - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1072 is_subtechnique: .nan technique: Software Deployment Tools tactic: - execution - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1072 is_subtechnique: .nan technique: Software Deployment Tools tactic: - execution - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1072 is_subtechnique: .nan technique: Software Deployment Tools tactic: - execution - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1072 is_subtechnique: .nan technique: Software Deployment Tools tactic: - execution - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1072 is_subtechnique: .nan technique: Software Deployment Tools tactic: - execution - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1072 is_subtechnique: .nan technique: Software Deployment Tools tactic: - execution - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1072 is_subtechnique: .nan technique: Software Deployment Tools tactic: - execution - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1072 is_subtechnique: .nan technique: Software Deployment Tools tactic: - execution - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: windows audit_category: FileDelete audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: linux audit_category: FileDelete audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '26' event_name: File Delete logged. event_platform: windows audit_category: FileDeleteDetected audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: file data_component: file deletion relationship_id: REL-2022-0020 name: Process deleted File source: process relationship: deleted target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileDeleted - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: windows audit_category: FileDelete audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '23' event_name: File Delete archived. event_platform: linux audit_category: FileDelete audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '26' event_name: File Delete logged. event_platform: windows audit_category: FileDeleteDetected audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: file data_component: file deletion relationship_id: REL-2022-0144 name: User deleted File source: user relationship: deleted target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileDeleted - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0102 name: Process deleted Registry source: process relationship: deleted target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0102 name: Process deleted Registry source: process relationship: deleted target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueDeleted - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0102 name: Process deleted Registry source: process relationship: deleted target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyDeleted - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0102 name: Process deleted Registry source: process relationship: deleted target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ActionType: Registry value deleted - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0102 name: Process deleted Registry source: process relationship: deleted target: registry event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0130 name: User deleted Registry source: user relationship: deleted target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0130 name: User deleted Registry source: user relationship: deleted target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueDeleted - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0130 name: User deleted Registry source: user relationship: deleted target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyDeleted - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0130 name: User deleted Registry source: user relationship: deleted target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Registry value deleted - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: windows registry data_component: windows registry key deletion relationship_id: REL-2022-0130 name: User deleted Registry source: user relationship: deleted target: registry event_id: '4660' event_name: An object was deleted. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0001 name: User attempted to authenticate from Port source: user relationship: attempted to authenticate from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0122 name: User attempted to authenticate from Device source: user relationship: attempted to authenticate from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0163 name: User authenticated from Device source: user relationship: authenticated from target: device event_id: '4776' event_name: The domain controller or local computer attempted to validate the credentials for an account. event_platform: windows audit_category: Account Logon audit_sub_category: Credential Validation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4625' event_name: An account failed to log on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Account Lockout channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: '4648' event_name: A logon was attempted using explicit credentials. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1070 is_subtechnique: .nan technique: Indicator Removal on Host tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers - Network data_source: user account data_component: user account authentication relationship_id: REL-2022-0170 name: User attempted to authenticate from Ip source: user relationship: attempted to authenticate from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1069 is_subtechnique: .nan technique: Permission Groups Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1069 is_subtechnique: .nan technique: Permission Groups Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1069 is_subtechnique: .nan technique: Permission Groups Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1069 is_subtechnique: .nan technique: Permission Groups Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1069 is_subtechnique: .nan technique: Permission Groups Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1069 is_subtechnique: .nan technique: Permission Groups Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1069 is_subtechnique: .nan technique: Permission Groups Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1069 is_subtechnique: .nan technique: Permission Groups Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1069 is_subtechnique: .nan technique: Permission Groups Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1069 is_subtechnique: .nan technique: Permission Groups Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: group data_component: group enumeration relationship_id: REL-2022-0165 name: User enumerated Group source: user relationship: enumerated target: group event_id: '4798' event_name: A user's local group membership was enumerated. event_platform: windows audit_category: Account Management audit_sub_category: User Account Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1069 is_subtechnique: .nan technique: Permission Groups Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: group data_component: group enumeration relationship_id: REL-2022-0165 name: User enumerated Group source: user relationship: enumerated target: group event_id: '4799' event_name: A security-enabled local group membership was enumerated. event_platform: windows audit_category: Account Management audit_sub_category: Security Group Management channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1069 is_subtechnique: .nan technique: Permission Groups Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1069 is_subtechnique: .nan technique: Permission Groups Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1069 is_subtechnique: .nan technique: Permission Groups Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1069 is_subtechnique: .nan technique: Permission Groups Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1069 is_subtechnique: .nan technique: Permission Groups Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1069 is_subtechnique: .nan technique: Permission Groups Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1069 is_subtechnique: .nan technique: Permission Groups Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1069 is_subtechnique: .nan technique: Permission Groups Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1069 is_subtechnique: .nan technique: Permission Groups Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1069 is_subtechnique: .nan technique: Permission Groups Discovery tactic: - discovery platform: - Windows - Azure AD - Office 365 - SaaS - IaaS - Linux - macOS - Google Workspace - Containers data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1068 is_subtechnique: .nan technique: Exploitation for Privilege Escalation tactic: - privilege-escalation platform: - Linux - macOS - Windows - Containers data_source: driver data_component: driver load relationship_id: REL-2022-0126 name: Driver loaded source: driver relationship: loaded target: null event_id: '6' event_name: Driver loaded. event_platform: windows audit_category: DriverLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1068 is_subtechnique: .nan technique: Exploitation for Privilege Escalation tactic: - privilege-escalation platform: - Linux - macOS - Windows - Containers data_source: driver data_component: driver load relationship_id: REL-2022-0126 name: Driver loaded source: driver relationship: loaded target: null event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: DriverLoaded - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: process data_component: process metadata relationship_id: REL-2022-0029 name: Process terminated source: process relationship: terminated target: null event_id: '5' event_name: Process terminated. event_platform: windows audit_category: ProcessTerminate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: process data_component: process metadata relationship_id: REL-2022-0029 name: Process terminated source: process relationship: terminated target: null event_id: '5' event_name: Process terminated. event_platform: linux audit_category: ProcessTerminate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: process data_component: process metadata relationship_id: REL-2022-0073 name: Process searched LDAP source: process relationship: searched target: ldap event_id: '30' event_name: EventID(30) event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-LDAP-Client/Debug filter_in: .nan - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: process data_component: process metadata relationship_id: REL-2022-0073 name: Process searched LDAP source: process relationship: searched target: ldap event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LdapSearch - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1059 is_subtechnique: false technique: Command and Scripting Interpreter tactic: - execution platform: - Linux - macOS - Windows - Network data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1057 is_subtechnique: .nan technique: Process Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1057 is_subtechnique: .nan technique: Process Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1057 is_subtechnique: .nan technique: Process Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1057 is_subtechnique: .nan technique: Process Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1057 is_subtechnique: .nan technique: Process Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1057 is_subtechnique: .nan technique: Process Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1057 is_subtechnique: .nan technique: Process Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1057 is_subtechnique: .nan technique: Process Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1057 is_subtechnique: .nan technique: Process Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1057 is_subtechnique: .nan technique: Process Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1057 is_subtechnique: .nan technique: Process Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1057 is_subtechnique: .nan technique: Process Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1057 is_subtechnique: .nan technique: Process Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1057 is_subtechnique: .nan technique: Process Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1057 is_subtechnique: .nan technique: Process Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1057 is_subtechnique: .nan technique: Process Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1057 is_subtechnique: .nan technique: Process Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1057 is_subtechnique: .nan technique: Process Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1057 is_subtechnique: .nan technique: Process Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1057 is_subtechnique: .nan technique: Process Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1057 is_subtechnique: .nan technique: Process Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: process data_component: process metadata relationship_id: REL-2022-0029 name: Process terminated source: process relationship: terminated target: null event_id: '5' event_name: Process terminated. event_platform: windows audit_category: ProcessTerminate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: process data_component: process metadata relationship_id: REL-2022-0029 name: Process terminated source: process relationship: terminated target: null event_id: '5' event_name: Process terminated. event_platform: linux audit_category: ProcessTerminate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: process data_component: process metadata relationship_id: REL-2022-0073 name: Process searched LDAP source: process relationship: searched target: ldap event_id: '30' event_name: EventID(30) event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-LDAP-Client/Debug filter_in: .nan - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: process data_component: process metadata relationship_id: REL-2022-0073 name: Process searched LDAP source: process relationship: searched target: ldap event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LdapSearch - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0145 name: User modified Registry source: user relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeySet - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '13' event_name: RegistryEvent (Value Set). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: SetValue - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '14' event_name: RegistryEvent (Key and Value Rename). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: Existing registry value modified - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: windows registry data_component: windows registry key modification relationship_id: REL-2022-0071 name: Process modified Registry source: process relationship: modified target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: driver data_component: driver load relationship_id: REL-2022-0126 name: Driver loaded source: driver relationship: loaded target: null event_id: '6' event_name: Driver loaded. event_platform: windows audit_category: DriverLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1056 is_subtechnique: .nan technique: Input Capture tactic: - collection - credential-access platform: - Linux - macOS - Windows - Network data_source: driver data_component: driver load relationship_id: REL-2022-0126 name: Driver loaded source: driver relationship: loaded target: null event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: DriverLoaded - technique_id: T1055 is_subtechnique: .nan technique: Process Injection tactic: - defense-evasion - privilege-escalation platform: - Linux - macOS - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055 is_subtechnique: .nan technique: Process Injection tactic: - defense-evasion - privilege-escalation platform: - Linux - macOS - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1055 is_subtechnique: .nan technique: Process Injection tactic: - defense-evasion - privilege-escalation platform: - Linux - macOS - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055 is_subtechnique: .nan technique: Process Injection tactic: - defense-evasion - privilege-escalation platform: - Linux - macOS - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1055 is_subtechnique: .nan technique: Process Injection tactic: - defense-evasion - privilege-escalation platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1055 is_subtechnique: .nan technique: Process Injection tactic: - defense-evasion - privilege-escalation platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1055 is_subtechnique: .nan technique: Process Injection tactic: - defense-evasion - privilege-escalation platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055 is_subtechnique: .nan technique: Process Injection tactic: - defense-evasion - privilege-escalation platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055 is_subtechnique: .nan technique: Process Injection tactic: - defense-evasion - privilege-escalation platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1055 is_subtechnique: .nan technique: Process Injection tactic: - defense-evasion - privilege-escalation platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1055 is_subtechnique: .nan technique: Process Injection tactic: - defense-evasion - privilege-escalation platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1055 is_subtechnique: .nan technique: Process Injection tactic: - defense-evasion - privilege-escalation platform: - Linux - macOS - Windows data_source: process data_component: process modification relationship_id: REL-2022-0143 name: Process modified Process source: process relationship: modified target: process event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055 is_subtechnique: .nan technique: Process Injection tactic: - defense-evasion - privilege-escalation platform: - Linux - macOS - Windows data_source: process data_component: process modification relationship_id: REL-2022-0143 name: Process modified Process source: process relationship: modified target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1055 is_subtechnique: .nan technique: Process Injection tactic: - defense-evasion - privilege-escalation platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055 is_subtechnique: .nan technique: Process Injection tactic: - defense-evasion - privilege-escalation platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1055 is_subtechnique: .nan technique: Process Injection tactic: - defense-evasion - privilege-escalation platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1055 is_subtechnique: .nan technique: Process Injection tactic: - defense-evasion - privilege-escalation platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1055 is_subtechnique: .nan technique: Process Injection tactic: - defense-evasion - privilege-escalation platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1055 is_subtechnique: .nan technique: Process Injection tactic: - defense-evasion - privilege-escalation platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '10' event_name: Process Access. event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055 is_subtechnique: .nan technique: Process Injection tactic: - defense-evasion - privilege-escalation platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1055 is_subtechnique: .nan technique: Process Injection tactic: - defense-evasion - privilege-escalation platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '10' event_name: ProcessAccess event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1055 is_subtechnique: .nan technique: Process Injection tactic: - defense-evasion - privilege-escalation platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1055 is_subtechnique: .nan technique: Process Injection tactic: - defense-evasion - privilege-escalation platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: scheduled job data_component: scheduled job creation relationship_id: REL-2022-0030 name: User created Scheduled job source: user relationship: created target: scheduled job event_id: '4698' event_name: A scheduled task was created. event_platform: windows audit_category: Object Access audit_sub_category: Other Object Access Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: scheduled job data_component: scheduled job creation relationship_id: REL-2022-0030 name: User created Scheduled job source: user relationship: created target: scheduled job event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScheduledTaskCreated - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1053 is_subtechnique: false technique: Scheduled Task/Job tactic: - execution - persistence - privilege-escalation platform: - Windows - Linux - macOS - Containers data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: drive data_component: drive creation relationship_id: REL-2022-0069 name: User attempted to install Drive source: user relationship: attempted to install target: drive event_id: '6423' event_name: The installation of this device is forbidden by system policy. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: drive data_component: drive creation relationship_id: REL-2022-0114 name: User installed Drive source: user relationship: installed target: drive event_id: '6416' event_name: A new external device was recognized by the system. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: drive data_component: drive creation relationship_id: REL-2022-0114 name: User installed Drive source: user relationship: installed target: drive event_id: '6424' event_name: The installation of this device was allowed, after having previously been forbidden by policy. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1052 is_subtechnique: .nan technique: Exfiltration Over Physical Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1049 is_subtechnique: false technique: System Network Connections Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1049 is_subtechnique: false technique: System Network Connections Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1049 is_subtechnique: false technique: System Network Connections Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1049 is_subtechnique: false technique: System Network Connections Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1049 is_subtechnique: false technique: System Network Connections Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1049 is_subtechnique: false technique: System Network Connections Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1049 is_subtechnique: false technique: System Network Connections Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1049 is_subtechnique: false technique: System Network Connections Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1049 is_subtechnique: false technique: System Network Connections Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1049 is_subtechnique: false technique: System Network Connections Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1049 is_subtechnique: false technique: System Network Connections Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1049 is_subtechnique: false technique: System Network Connections Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1049 is_subtechnique: false technique: System Network Connections Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1049 is_subtechnique: false technique: System Network Connections Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1049 is_subtechnique: false technique: System Network Connections Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1049 is_subtechnique: false technique: System Network Connections Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1049 is_subtechnique: false technique: System Network Connections Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1049 is_subtechnique: false technique: System Network Connections Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1049 is_subtechnique: false technique: System Network Connections Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1049 is_subtechnique: false technique: System Network Connections Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1049 is_subtechnique: false technique: System Network Connections Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Network data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1048 is_subtechnique: .nan technique: Exfiltration Over Alternative Protocol tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1047 is_subtechnique: false technique: Windows Management Instrumentation tactic: - execution platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1046 is_subtechnique: false technique: Network Service Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1046 is_subtechnique: false technique: Network Service Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1046 is_subtechnique: false technique: Network Service Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1046 is_subtechnique: false technique: Network Service Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1046 is_subtechnique: false technique: Network Service Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1046 is_subtechnique: false technique: Network Service Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1046 is_subtechnique: false technique: Network Service Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1046 is_subtechnique: false technique: Network Service Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1046 is_subtechnique: false technique: Network Service Discovery tactic: - discovery platform: - Windows - IaaS - Linux - macOS - Containers - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1041 is_subtechnique: .nan technique: Exfiltration Over C2 Channel tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1040 is_subtechnique: false technique: Network Sniffing tactic: - credential-access - discovery platform: - Linux - macOS - Windows - Network - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1040 is_subtechnique: false technique: Network Sniffing tactic: - credential-access - discovery platform: - Linux - macOS - Windows - Network - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1040 is_subtechnique: false technique: Network Sniffing tactic: - credential-access - discovery platform: - Linux - macOS - Windows - Network - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1040 is_subtechnique: false technique: Network Sniffing tactic: - credential-access - discovery platform: - Linux - macOS - Windows - Network - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1040 is_subtechnique: false technique: Network Sniffing tactic: - credential-access - discovery platform: - Linux - macOS - Windows - Network - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1040 is_subtechnique: false technique: Network Sniffing tactic: - credential-access - discovery platform: - Linux - macOS - Windows - Network - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1040 is_subtechnique: false technique: Network Sniffing tactic: - credential-access - discovery platform: - Linux - macOS - Windows - Network - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1040 is_subtechnique: false technique: Network Sniffing tactic: - credential-access - discovery platform: - Linux - macOS - Windows - Network - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1040 is_subtechnique: false technique: Network Sniffing tactic: - credential-access - discovery platform: - Linux - macOS - Windows - Network - IaaS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1040 is_subtechnique: false technique: Network Sniffing tactic: - credential-access - discovery platform: - Linux - macOS - Windows - Network - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1040 is_subtechnique: false technique: Network Sniffing tactic: - credential-access - discovery platform: - Linux - macOS - Windows - Network - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1040 is_subtechnique: false technique: Network Sniffing tactic: - credential-access - discovery platform: - Linux - macOS - Windows - Network - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1040 is_subtechnique: false technique: Network Sniffing tactic: - credential-access - discovery platform: - Linux - macOS - Windows - Network - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1040 is_subtechnique: false technique: Network Sniffing tactic: - credential-access - discovery platform: - Linux - macOS - Windows - Network - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1040 is_subtechnique: false technique: Network Sniffing tactic: - credential-access - discovery platform: - Linux - macOS - Windows - Network - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1040 is_subtechnique: false technique: Network Sniffing tactic: - credential-access - discovery platform: - Linux - macOS - Windows - Network - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1040 is_subtechnique: false technique: Network Sniffing tactic: - credential-access - discovery platform: - Linux - macOS - Windows - Network - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1040 is_subtechnique: false technique: Network Sniffing tactic: - credential-access - discovery platform: - Linux - macOS - Windows - Network - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1040 is_subtechnique: false technique: Network Sniffing tactic: - credential-access - discovery platform: - Linux - macOS - Windows - Network - IaaS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1039 is_subtechnique: .nan technique: Data from Network Shared Drive tactic: - collection platform: - Linux - macOS - Windows data_source: network share data_component: network share access relationship_id: REL-2022-0078 name: User attempted to access Network Share source: user relationship: attempted to access target: network share event_id: '5140' event_name: A network share object was accessed. event_platform: windows audit_category: Object Access audit_sub_category: File Share channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1039 is_subtechnique: .nan technique: Data from Network Shared Drive tactic: - collection platform: - Linux - macOS - Windows data_source: network share data_component: network share access relationship_id: REL-2022-0078 name: User attempted to access Network Share source: user relationship: attempted to access target: network share event_id: '5145' event_name: A network share object was checked to see whether client can be granted desired access. event_platform: windows audit_category: Object Access audit_sub_category: Detailed File Share channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1039 is_subtechnique: .nan technique: Data from Network Shared Drive tactic: - collection platform: - Linux - macOS - Windows data_source: network share data_component: network share access relationship_id: REL-2022-0078 name: User attempted to access Network Share source: user relationship: attempted to access target: network share event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1039 is_subtechnique: .nan technique: Data from Network Shared Drive tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1039 is_subtechnique: .nan technique: Data from Network Shared Drive tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1039 is_subtechnique: .nan technique: Data from Network Shared Drive tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1039 is_subtechnique: .nan technique: Data from Network Shared Drive tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1039 is_subtechnique: .nan technique: Data from Network Shared Drive tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1039 is_subtechnique: .nan technique: Data from Network Shared Drive tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1039 is_subtechnique: .nan technique: Data from Network Shared Drive tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1039 is_subtechnique: .nan technique: Data from Network Shared Drive tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1039 is_subtechnique: .nan technique: Data from Network Shared Drive tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1039 is_subtechnique: .nan technique: Data from Network Shared Drive tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1039 is_subtechnique: .nan technique: Data from Network Shared Drive tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1039 is_subtechnique: .nan technique: Data from Network Shared Drive tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1039 is_subtechnique: .nan technique: Data from Network Shared Drive tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1039 is_subtechnique: .nan technique: Data from Network Shared Drive tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0125 name: Process created Registry source: process relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '12' event_name: RegistryEvent (Object create and delete). event_platform: windows audit_category: RegistryEvent audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: - EventType: CreateKey - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryValueSet - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: DeviceRegistryEvents event_name: DeviceRegistryEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: RegistryKeyCreated - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: windows registry data_component: windows registry key creation relationship_id: REL-2022-0105 name: User created Registry source: user relationship: created target: registry event_id: '4657' event_name: A registry value was modified. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - OperationType: New registry value created - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5136' event_name: A directory service object was modified. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '5139' event_name: A directory service object was moved. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Changes channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: active directory data_component: active directory object modification relationship_id: REL-2022-0162 name: User modified AD Object source: user relationship: modified target: ad object event_id: '4719' event_name: System audit policy was changed. event_platform: windows audit_category: Policy Change audit_sub_category: Policy Change channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1037 is_subtechnique: .nan technique: Boot or Logon Initialization Scripts tactic: - persistence - privilege-escalation platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: scheduled job data_component: scheduled job modification relationship_id: REL-2022-0119 name: User modified Schedule job source: user relationship: modified target: schedule job event_id: '4702' event_name: A scheduled task was updated. event_platform: windows audit_category: Object Access audit_sub_category: Other Object Access Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: scheduled job data_component: scheduled job modification relationship_id: REL-2022-0119 name: User modified Schedule job source: user relationship: modified target: schedule job event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScheduledTaskUpdated - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: scheduled job data_component: scheduled job modification relationship_id: REL-2022-0148 name: User enabled Scheduled job source: user relationship: enabled target: scheduled job event_id: '4700' event_name: A scheduled task was enabled. event_platform: windows audit_category: Object Access audit_sub_category: Other Object Access Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: scheduled job data_component: scheduled job modification relationship_id: REL-2022-0148 name: User enabled Scheduled job source: user relationship: enabled target: scheduled job event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScheduledTaskModified - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: scheduled job data_component: scheduled job modification relationship_id: REL-2022-0167 name: User disabled Scheduled job source: user relationship: disabled target: scheduled job event_id: '4701' event_name: A scheduled task was disabled. event_platform: windows audit_category: Object Access audit_sub_category: Other Object Access Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: scheduled job data_component: scheduled job modification relationship_id: REL-2022-0167 name: User disabled Scheduled job source: user relationship: disabled target: scheduled job event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScheduledTaskModified - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: '4697' event_name: A service was installed in the system. event_platform: windows audit_category: System audit_sub_category: Security System Extension channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: '7045' event_name: A new service was installed in the system. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: Service Control Manager filter_in: .nan - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: service data_component: service creation relationship_id: REL-2022-0097 name: User created Service source: user relationship: created target: service event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ServiceInstalled - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: service data_component: service metadata relationship_id: REL-2022-0094 name: Service stopped source: service relationship: stopped target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: service data_component: service metadata relationship_id: REL-2022-0094 name: Service stopped source: service relationship: stopped target: null event_id: '6006' event_name: The Event log service was stopped. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: service data_component: service metadata relationship_id: REL-2022-0184 name: Service started source: service relationship: started target: null event_id: '4' event_name: Sysmon service state changed. event_platform: windows audit_category: ServiceStateChange audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: service data_component: service metadata relationship_id: REL-2022-0184 name: Service started source: service relationship: started target: null event_id: '6005' event_name: The Event log service was started. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: System log_source: EventLog filter_in: .nan - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: process data_component: process metadata relationship_id: REL-2022-0029 name: Process terminated source: process relationship: terminated target: null event_id: '5' event_name: Process terminated. event_platform: windows audit_category: ProcessTerminate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: process data_component: process metadata relationship_id: REL-2022-0029 name: Process terminated source: process relationship: terminated target: null event_id: '5' event_name: Process terminated. event_platform: linux audit_category: ProcessTerminate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: process data_component: process metadata relationship_id: REL-2022-0073 name: Process searched LDAP source: process relationship: searched target: ldap event_id: '30' event_name: EventID(30) event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft-Windows-LDAP-Client/Debug filter_in: .nan - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: process data_component: process metadata relationship_id: REL-2022-0073 name: Process searched LDAP source: process relationship: searched target: ldap event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LdapSearch - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1036 is_subtechnique: false technique: Masquerading tactic: - defense-evasion platform: - Linux - macOS - Windows - Containers data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0048 name: Process accessed Registry source: process relationship: accessed target: registry event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0077 name: User accessed Registry source: user relationship: accessed target: registry event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0070 name: Process requested access to Registry source: process relationship: requested access to target: registry event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0013 name: User requested access to Registry source: user relationship: requested access to target: registry event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '10' event_name: Process Access. event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '10' event_name: ProcessAccess event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: active directory data_component: active directory object access relationship_id: REL-2022-0015 name: User requested access to AD Object source: user relationship: requested access to target: ad object event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Access channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: active directory data_component: active directory object access relationship_id: REL-2022-0085 name: User accessed AD Object source: user relationship: accessed target: ad object event_id: '4662' event_name: An operation was performed on an object. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Access channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: active directory data_component: active directory object access relationship_id: REL-2022-0085 name: User accessed AD Object source: user relationship: accessed target: ad object event_id: '4932' event_name: Synchronization of a replica of an Active Directory naming context has begun. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Replication channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1033 is_subtechnique: false technique: System Owner/User Discovery tactic: - discovery platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1030 is_subtechnique: .nan technique: Data Transfer Size Limits tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1029 is_subtechnique: .nan technique: Scheduled Transfer tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '11' event_name: FileCreate. event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0043 name: User created File source: user relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: 11 event_name: FileCreate event_platform: linux audit_category: FileCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileCreated - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file creation relationship_id: REL-2022-0181 name: Process created File source: process relationship: created target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1027 is_subtechnique: false technique: Obfuscated Files or Information tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1025 is_subtechnique: .nan technique: Data from Removable Media tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1025 is_subtechnique: .nan technique: Data from Removable Media tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1025 is_subtechnique: .nan technique: Data from Removable Media tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1025 is_subtechnique: .nan technique: Data from Removable Media tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1025 is_subtechnique: .nan technique: Data from Removable Media tactic: - collection platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1025 is_subtechnique: .nan technique: Data from Removable Media tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1025 is_subtechnique: .nan technique: Data from Removable Media tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1025 is_subtechnique: .nan technique: Data from Removable Media tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1025 is_subtechnique: .nan technique: Data from Removable Media tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1025 is_subtechnique: .nan technique: Data from Removable Media tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1025 is_subtechnique: .nan technique: Data from Removable Media tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1025 is_subtechnique: .nan technique: Data from Removable Media tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1025 is_subtechnique: .nan technique: Data from Removable Media tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1025 is_subtechnique: .nan technique: Data from Removable Media tactic: - collection platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0046 name: User created logon from Ip source: user relationship: created logon from target: ip event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0059 name: User created logon from Port source: user relationship: created logon from target: port event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4624' event_name: An account was successfully logged on. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4778' event_name: A session was reconnected to a Window Station. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Other Logon/Logoff Events channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: '4964' event_name: Special groups have been assigned to a new logon. event_platform: windows audit_category: Logon/Logoff audit_sub_category: Special Logon channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: logon session data_component: logon session creation relationship_id: REL-2022-0186 name: User created Logon source: user relationship: created target: logon event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: module data_component: module load relationship_id: REL-2022-0014 name: User loaded Module source: user relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: '7' event_name: Image loaded. event_platform: windows audit_category: ImageLoad audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: module data_component: module load relationship_id: REL-2022-0178 name: Process loaded Module source: process relationship: loaded target: module event_id: DeviceImageLoadEvents event_name: DeviceImageLoadEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ImageLoaded - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network share data_component: network share access relationship_id: REL-2022-0078 name: User attempted to access Network Share source: user relationship: attempted to access target: network share event_id: '5140' event_name: A network share object was accessed. event_platform: windows audit_category: Object Access audit_sub_category: File Share channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network share data_component: network share access relationship_id: REL-2022-0078 name: User attempted to access Network Share source: user relationship: attempted to access target: network share event_id: '5145' event_name: A network share object was checked to see whether client can be granted desired access. event_platform: windows audit_category: Object Access audit_sub_category: Detailed File Share channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: network share data_component: network share access relationship_id: REL-2022-0078 name: User attempted to access Network Share source: user relationship: attempted to access target: network share event_id: DeviceLogonEvents event_name: DeviceLogonEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: LogonSuccess - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1021 is_subtechnique: .nan technique: Remote Services tactic: - lateral-movement platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1020 is_subtechnique: false technique: Automated Exfiltration tactic: - exfiltration platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1018 is_subtechnique: false technique: Remote System Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1016 is_subtechnique: false technique: System Network Configuration Discovery tactic: - discovery platform: - Linux - macOS - Windows - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1014 is_subtechnique: false technique: Rootkit tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1014 is_subtechnique: false technique: Rootkit tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0041 name: User modified File source: user relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1014 is_subtechnique: false technique: Rootkit tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '2' event_name: A process changed a file creation time. event_platform: windows audit_category: FileCreateTime audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1014 is_subtechnique: false technique: Rootkit tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '11' event_name: FileCreate. event_platform: windows audit_category: FileCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1014 is_subtechnique: false technique: Rootkit tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: '4670' event_name: Permissions on an object were changed. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1014 is_subtechnique: false technique: Rootkit tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileModified - technique_id: T1014 is_subtechnique: false technique: Rootkit tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: file data_component: file modification relationship_id: REL-2022-0155 name: Process modified File source: process relationship: modified target: file event_id: DeviceFileEvents event_name: DeviceFileEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FileRenamed - technique_id: T1014 is_subtechnique: false technique: Rootkit tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: drive data_component: drive modification relationship_id: REL-2022-0044 name: User enabled Drive source: user relationship: enabled target: drive event_id: '6422' event_name: A device was enabled. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1014 is_subtechnique: false technique: Rootkit tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: drive data_component: drive modification relationship_id: REL-2022-0053 name: User attempted to disable Drive source: user relationship: attempted to disable target: drive event_id: '6419' event_name: A request was made to disable a device. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1014 is_subtechnique: false technique: Rootkit tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: drive data_component: drive modification relationship_id: REL-2022-0064 name: User disabled Drive source: user relationship: disabled target: drive event_id: '6420' event_name: A device was disabled. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1014 is_subtechnique: false technique: Rootkit tactic: - defense-evasion platform: - Linux - macOS - Windows data_source: drive data_component: drive modification relationship_id: REL-2022-0067 name: User attempted to enable Drive source: user relationship: attempted to enable target: drive event_id: '6421' event_name: A request was made to enable a device. event_platform: windows audit_category: Detailed Tracking audit_sub_category: PNP Activity channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1012 is_subtechnique: .nan technique: Query Registry tactic: - discovery platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1012 is_subtechnique: .nan technique: Query Registry tactic: - discovery platform: - Windows data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1012 is_subtechnique: .nan technique: Query Registry tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1012 is_subtechnique: .nan technique: Query Registry tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1012 is_subtechnique: .nan technique: Query Registry tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1012 is_subtechnique: .nan technique: Query Registry tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1012 is_subtechnique: .nan technique: Query Registry tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1012 is_subtechnique: .nan technique: Query Registry tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1012 is_subtechnique: .nan technique: Query Registry tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1012 is_subtechnique: .nan technique: Query Registry tactic: - discovery platform: - Windows data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1012 is_subtechnique: .nan technique: Query Registry tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1012 is_subtechnique: .nan technique: Query Registry tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1012 is_subtechnique: .nan technique: Query Registry tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1012 is_subtechnique: .nan technique: Query Registry tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1012 is_subtechnique: .nan technique: Query Registry tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1012 is_subtechnique: .nan technique: Query Registry tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1012 is_subtechnique: .nan technique: Query Registry tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1012 is_subtechnique: .nan technique: Query Registry tactic: - discovery platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1012 is_subtechnique: .nan technique: Query Registry tactic: - discovery platform: - Windows data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0048 name: Process accessed Registry source: process relationship: accessed target: registry event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1012 is_subtechnique: .nan technique: Query Registry tactic: - discovery platform: - Windows data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0077 name: User accessed Registry source: user relationship: accessed target: registry event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1012 is_subtechnique: .nan technique: Query Registry tactic: - discovery platform: - Windows data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0070 name: Process requested access to Registry source: process relationship: requested access to target: registry event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1012 is_subtechnique: .nan technique: Query Registry tactic: - discovery platform: - Windows data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0013 name: User requested access to Registry source: user relationship: requested access to target: registry event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1011 is_subtechnique: .nan technique: Exfiltration Over Other Network Medium tactic: - exfiltration platform: - Linux - macOS - Windows data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1010 is_subtechnique: false technique: Application Window Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1010 is_subtechnique: false technique: Application Window Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1010 is_subtechnique: false technique: Application Window Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1010 is_subtechnique: false technique: Application Window Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1010 is_subtechnique: false technique: Application Window Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1010 is_subtechnique: false technique: Application Window Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1010 is_subtechnique: false technique: Application Window Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1010 is_subtechnique: false technique: Application Window Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1010 is_subtechnique: false technique: Application Window Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1010 is_subtechnique: false technique: Application Window Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1010 is_subtechnique: false technique: Application Window Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1010 is_subtechnique: false technique: Application Window Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1010 is_subtechnique: false technique: Application Window Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1010 is_subtechnique: false technique: Application Window Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1010 is_subtechnique: false technique: Application Window Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1010 is_subtechnique: false technique: Application Window Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1010 is_subtechnique: false technique: Application Window Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1010 is_subtechnique: false technique: Application Window Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1010 is_subtechnique: false technique: Application Window Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1010 is_subtechnique: false technique: Application Window Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1010 is_subtechnique: false technique: Application Window Discovery tactic: - discovery platform: - macOS - Windows - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0007 name: Process connected from Port source: process relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0012 name: Process attempted connection to Port source: process relationship: attempted connection to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0017 name: Process connected to Ip source: process relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0074 name: Device blocked connection from Process source: device relationship: blocked connection from target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0051 name: Process connected from Host source: process relationship: connected from target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0090 name: Device permitted listener on Ip source: device relationship: permitted listener on target: ip event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0056 name: Process attempted connection to Ip source: process relationship: attempted connection to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionAttempt - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0057 name: User connected to Ip source: user relationship: connected to target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0084 name: Device blocked port bind on Process source: device relationship: blocked port bind on target: process event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0022 name: Device blocked listener on Ip source: device relationship: blocked listener on target: ip event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0068 name: Process listened on Port source: process relationship: listened on target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: '5031' event_name: The Windows Firewall Service blocked an application from accepting incoming connections on the network. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0033 name: Device blocked connection to Process source: Device relationship: blocked connection to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionToAppBlocked - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0079 name: Process attempted connection from Ip source: process relationship: attempted connection from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0028 name: Device blocked connection from Port source: device relationship: blocked connection from target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0091 name: Process attempted to listen on Port source: process relationship: attempted to listen on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: '5158' event_name: The Windows Filtering Platform has permitted a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0103 name: Process bound to Port source: process relationship: bound to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ListeningConnectionCreated - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0115 name: Device permitted listener on Port source: device relationship: permitted listener on target: port event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0108 name: User connected from Port source: user relationship: connected from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0112 name: Process attempted connection from Port source: process relationship: attempted connection from target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionRequest - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0113 name: Process connected to Port source: process relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0159 name: Device blocked listener on Port source: device relationship: blocked listener on target: port event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0173 name: Device blocked connection to Ip source: device relationship: blocked connection to target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0137 name: Device blocked connection to Port source: device relationship: blocked connection to target: port event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallOutboundConnectionBlocked - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0128 name: Device blocked listener on Process source: device relationship: blocked listener on target: process event_id: '5155' event_name: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0164 name: Device permitted listener on Process source: device relationship: permitted listener on target: process event_id: '5154' event_name: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0135 name: User connected to Port source: user relationship: connected to target: port event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0010 name: Device blocked port bind on Port source: device relationship: blocked port bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0141 name: Process connected to Host source: process relationship: connected to target: host event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0124 name: Device blocked port bind on Ip source: device relationship: blocked port bind on target: ip event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: '5157' event_name: The Windows Filtering Platform has blocked a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0160 name: Device blocked connection from Ip source: device relationship: blocked connection from target: ip event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: FirewallInboundConnectionBlocked - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0138 name: User connected from Device source: user relationship: connected from target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0161 name: User connected from Ip source: user relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '5156' event_name: The Windows Filtering Platform has permitted a connection. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0166 name: Process connected from Ip source: process relationship: connected from target: ip event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: InboundConnectionAccepted - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: windows audit_category: NetworkConnect audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: '3' event_name: Network connection. event_platform: linux audit_category: NetworkConnect audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0104 name: User connected to Device source: user relationship: connected to target: device event_id: DeviceNetworkEvents event_name: DeviceNetworkEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ConnectionSuccess - technique_id: T1008 is_subtechnique: .nan technique: Fallback Channels tactic: - command-and-control platform: - Linux - Windows - macOS data_source: network traffic data_component: network connection creation relationship_id: REL-2022-0183 name: Process attempted to bind on Port source: process relationship: attempted to bind on target: port event_id: '5159' event_name: The Windows Filtering Platform has blocked a bind to a local port. event_platform: windows audit_category: Object Access audit_sub_category: Filtering Platform Connection channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1007 is_subtechnique: false technique: System Service Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1007 is_subtechnique: false technique: System Service Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1007 is_subtechnique: false technique: System Service Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1007 is_subtechnique: false technique: System Service Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1007 is_subtechnique: false technique: System Service Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1007 is_subtechnique: false technique: System Service Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1007 is_subtechnique: false technique: System Service Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1007 is_subtechnique: false technique: System Service Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1007 is_subtechnique: false technique: System Service Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1007 is_subtechnique: false technique: System Service Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1007 is_subtechnique: false technique: System Service Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1007 is_subtechnique: false technique: System Service Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1007 is_subtechnique: false technique: System Service Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1007 is_subtechnique: false technique: System Service Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1007 is_subtechnique: false technique: System Service Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1007 is_subtechnique: false technique: System Service Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1007 is_subtechnique: false technique: System Service Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1007 is_subtechnique: false technique: System Service Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1007 is_subtechnique: false technique: System Service Discovery tactic: - discovery platform: - Windows - macOS - Linux data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1006 is_subtechnique: .nan technique: Direct Volume Access tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1006 is_subtechnique: .nan technique: Direct Volume Access tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1006 is_subtechnique: .nan technique: Direct Volume Access tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1006 is_subtechnique: .nan technique: Direct Volume Access tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1006 is_subtechnique: .nan technique: Direct Volume Access tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1006 is_subtechnique: .nan technique: Direct Volume Access tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1006 is_subtechnique: .nan technique: Direct Volume Access tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1006 is_subtechnique: .nan technique: Direct Volume Access tactic: - defense-evasion platform: - Windows data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: '4104' event_name: Script Block Logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ScriptContent - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: PowerShellCommand - technique_id: T1005 is_subtechnique: false technique: Data from Local System tactic: - collection platform: - Linux - macOS - Windows - Network data_source: script data_component: script execution relationship_id: REL-2022-0066 name: Process executed Script source: process relationship: executed target: script event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: AmsiScriptDetection - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: active directory data_component: active directory object access relationship_id: REL-2022-0015 name: User requested access to AD Object source: user relationship: requested access to target: ad object event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Access channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: active directory data_component: active directory object access relationship_id: REL-2022-0085 name: User accessed AD Object source: user relationship: accessed target: ad object event_id: '4662' event_name: An operation was performed on an object. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Access channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: active directory data_component: active directory object access relationship_id: REL-2022-0085 name: User accessed AD Object source: user relationship: accessed target: ad object event_id: '4932' event_name: Synchronization of a replica of an Active Directory naming context has begun. event_platform: windows audit_category: DS Access audit_sub_category: Directory Service Replication channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0018 name: User executed Command source: user relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: '4103' event_name: Module logging. event_platform: windows audit_category: .nan audit_sub_category: .nan channel: Microsoft-Windows-PowerShell/Operational log_source: Microsoft-Windows-PowerShell filter_in: .nan - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: command data_component: command execution relationship_id: REL-2022-0131 name: Process executed Command source: process relationship: executed target: command event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0146 name: User created Process source: user relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0153 name: Process created Thread source: process relationship: created target: thread event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '4688' event_name: A new process has been created. event_platform: windows audit_category: Detailed Tracking audit_sub_category: Process Creation channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: windows audit_category: ProcessCreate audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: '1' event_name: Process Creation. event_platform: linux audit_category: ProcessCreate audit_sub_category: .nan channel: .nan log_source: sysmon filter_in: .nan - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: process data_component: process creation relationship_id: REL-2022-0175 name: Process created Process source: process relationship: created target: process event_id: DeviceProcessEvents event_name: DeviceProcessEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: ProcessCreated - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: process data_component: process access relationship_id: REL-2022-0006 name: User accessed Process source: user relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: '10' event_name: Process Access. event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: process data_component: process access relationship_id: REL-2022-0111 name: Process requested access to Process source: process relationship: requested access to target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '10' event_name: ProcessAccess event_platform: windows audit_category: ProcessAccess audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Kernel Object channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Process - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: process data_component: process access relationship_id: REL-2022-0121 name: Process accessed Process source: process relationship: accessed target: process event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: OpenProcessApiCall - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: '8' event_name: CreateRemoteThread. event_platform: windows audit_category: CreateRemoteThread audit_sub_category: .nan channel: Microsoft-Windows-Sysmon/Operational log_source: Microsoft-Windows-Sysmon filter_in: .nan - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: process data_component: os api execution relationship_id: REL-2022-0150 name: Process executed Api call source: process relationship: executed target: api call event_id: DeviceEvents event_name: DeviceEvents event_platform: windows audit_category: .nan audit_sub_category: .nan channel: .nan log_source: Microsoft Defender for Endpoint filter_in: - ActionType: CreateRemoteThreadApiCall - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: file data_component: file access relationship_id: REL-2022-0036 name: Process requested access to File source: process relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: file data_component: file access relationship_id: REL-2022-0075 name: User accessed File source: user relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: File - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: file data_component: file access relationship_id: REL-2022-0092 name: User requested access to File source: user relationship: requested access to target: file event_id: '4661' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: SAM channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: SAM - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: file data_component: file access relationship_id: REL-2022-0139 name: Process accessed File source: process relationship: accessed target: file event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: File System channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: .nan - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0048 name: Process accessed Registry source: process relationship: accessed target: registry event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0077 name: User accessed Registry source: user relationship: accessed target: registry event_id: '4663' event_name: An attempt was made to access an object. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0070 name: Process requested access to Registry source: process relationship: requested access to target: registry event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key - technique_id: T1003 is_subtechnique: .nan technique: OS Credential Dumping tactic: - credential-access platform: - Windows - Linux - macOS data_source: windows registry data_component: windows registry key access relationship_id: REL-2022-0013 name: User requested access to Registry source: user relationship: requested access to target: registry event_id: '4656' event_name: A handle to an object was requested. event_platform: windows audit_category: Object Access audit_sub_category: Registry channel: Security log_source: Microsoft-Windows-Security-Auditing filter_in: - ObjectType: Key