customer,tactic,technique,detection_rule,category,platform,type,channel,provider,data_needed,logging policy,enrichment,enrichment requirements,response playbook,response action
None,TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0028_windows_audit_sam,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0027_windows_audit_directory_service_access,,,-,title
None,TA0007: Discovery,T1069: Permission Groups Discovery,Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0028_windows_audit_sam,,,-,title
None,TA0007: Discovery,T1069: Permission Groups Discovery,Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0027_windows_audit_directory_service_access,,,-,title
None,TA0006: Credential Access,T1208: Kerberoasting,Suspicious Kerberos RC4 Ticket Encryption,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,SAM Dump to AppData,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,-,,,-,title
None,TA0005: Defense Evasion,T1099: Timestomp,Unauthorized System Time Modification,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0088_4616_system_time_was_changed,LP_0046_windows_audit_security_state_change,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Persistence and Execution at Scale via GPO Scheduled Task,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
None,TA0008: Lateral Movement,T1053: Scheduled Task,Persistence and Execution at Scale via GPO Scheduled Task,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Credential Dumping Tools Service Execution,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Credential Dumping Tools Service Execution,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0100_windows_audit_security_system_extension,,,-,title
None,TA0006: Credential Access,T1035: Service Execution,Credential Dumping Tools Service Execution,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
None,TA0006: Credential Access,T1035: Service Execution,Credential Dumping Tools Service Execution,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0100_windows_audit_security_system_extension,,,-,title
None,TA0002: Execution,T1003: Credential Dumping,Credential Dumping Tools Service Execution,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
None,TA0002: Execution,T1003: Credential Dumping,Credential Dumping Tools Service Execution,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0100_windows_audit_security_system_extension,,,-,title
None,TA0002: Execution,T1035: Service Execution,Credential Dumping Tools Service Execution,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
None,TA0002: Execution,T1035: Service Execution,Credential Dumping Tools Service Execution,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0100_windows_audit_security_system_extension,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Credential Dumping Tools Service Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,-,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Credential Dumping Tools Service Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0100_windows_audit_security_system_extension,,,-,title
None,TA0006: Credential Access,T1035: Service Execution,Credential Dumping Tools Service Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,-,,,-,title
None,TA0006: Credential Access,T1035: Service Execution,Credential Dumping Tools Service Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0100_windows_audit_security_system_extension,,,-,title
None,TA0002: Execution,T1003: Credential Dumping,Credential Dumping Tools Service Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,-,,,-,title
None,TA0002: Execution,T1003: Credential Dumping,Credential Dumping Tools Service Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0100_windows_audit_security_system_extension,,,-,title
None,TA0002: Execution,T1035: Service Execution,Credential Dumping Tools Service Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,-,,,-,title
None,TA0002: Execution,T1035: Service Execution,Credential Dumping Tools Service Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0100_windows_audit_security_system_extension,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Credential Dumping Tools Service Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,-,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Credential Dumping Tools Service Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0100_windows_audit_security_system_extension,,,-,title
None,TA0006: Credential Access,T1035: Service Execution,Credential Dumping Tools Service Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,-,,,-,title
None,TA0006: Credential Access,T1035: Service Execution,Credential Dumping Tools Service Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0100_windows_audit_security_system_extension,,,-,title
None,TA0002: Execution,T1003: Credential Dumping,Credential Dumping Tools Service Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,-,,,-,title
None,TA0002: Execution,T1003: Credential Dumping,Credential Dumping Tools Service Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0100_windows_audit_security_system_extension,,,-,title
None,TA0002: Execution,T1035: Service Execution,Credential Dumping Tools Service Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,-,,,-,title
None,TA0002: Execution,T1035: Service Execution,Credential Dumping Tools Service Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0100_windows_audit_security_system_extension,,,-,title
None,TA0003: Persistence,T1050: New Service,Turla Service Install,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
None,TA0007: Discovery,T1012: Query Registry,SysKey Registry Keys Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0102_windows_audit_file_system,,,-,title
None,TA0007: Discovery,T1012: Query Registry,SysKey Registry Keys Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
None,TA0007: Discovery,T1012: Query Registry,SysKey Registry Keys Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
None,TA0007: Discovery,T1012: Query Registry,SysKey Registry Keys Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0103_windows_audit_registry,,,-,title
None,TA0007: Discovery,T1012: Query Registry,SysKey Registry Keys Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0102_windows_audit_file_system,,,-,title
None,TA0007: Discovery,T1012: Query Registry,SysKey Registry Keys Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0039_windows_audit_kernel_object,,,-,title
None,TA0007: Discovery,T1012: Query Registry,SysKey Registry Keys Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0104_windows_audit_removable_storage,,,-,title
None,TA0007: Discovery,T1012: Query Registry,SysKey Registry Keys Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0103_windows_audit_registry,,,-,title
None,TA0002: Execution,T1086: PowerShell,Remote PowerShell Sessions,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0045_windows_audit_filtering_platform_connection,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,New or Renamed User Account with '$' in Attribute 'SamAccountName'.,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0026_windows_audit_user_account_management,,,-,title
None,TA0003: Persistence,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0003: Persistence,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0004: Privilege Escalation,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0004: Privilege Escalation,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0003: Persistence,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0004_windows_audit_logon,,,-,title
None,TA0003: Persistence,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0004: Privilege Escalation,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0004_windows_audit_logon,,,-,title
None,TA0004: Privilege Escalation,T1078: Valid Accounts,Account Tampering - Suspicious Failed Logon Reasons,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz DC Sync,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0027_windows_audit_directory_service_access,,,-,title
None,TA0008: Lateral Movement,T1076: Remote Desktop Protocol,RDP Login from Localhost,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,AD Privileged Users or Groups Reconnaissance,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0028_windows_audit_sam,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,AD Privileged Users or Groups Reconnaissance,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0029_4661_handle_to_an_object_was_requested,LP_0027_windows_audit_directory_service_access,,,-,title
None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0102_windows_audit_file_system,,,-,title
None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0039_windows_audit_kernel_object,,,-,title
None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0104_windows_audit_removable_storage,,,-,title
None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0103_windows_audit_registry,,,-,title
None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0042_windows_audit_handle_manipulation,,,-,title
None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0102_windows_audit_file_system,,,-,title
None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0039_windows_audit_kernel_object,,,-,title
None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0104_windows_audit_removable_storage,,,-,title
None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0103_windows_audit_registry,,,-,title
None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0042_windows_audit_handle_manipulation,,,-,title
None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0102_windows_audit_file_system,,,-,title
None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0103_windows_audit_registry,,,-,title
None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0042_windows_audit_handle_manipulation,,,-,title
None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0102_windows_audit_file_system,,,-,title
None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0103_windows_audit_registry,,,-,title
None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0042_windows_audit_handle_manipulation,,,-,title
None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0102_windows_audit_file_system,,,-,title
None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0039_windows_audit_kernel_object,,,-,title
None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0104_windows_audit_removable_storage,,,-,title
None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0103_windows_audit_registry,,,-,title
None,TA0005: Defense Evasion,T1107: File Deletion,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0042_windows_audit_handle_manipulation,,,-,title
None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0102_windows_audit_file_system,,,-,title
None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0039_windows_audit_kernel_object,,,-,title
None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0104_windows_audit_removable_storage,,,-,title
None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0103_windows_audit_registry,,,-,title
None,TA0005: Defense Evasion,T1066: Indicator Removal from Tools,Secure Deletion with SDelete,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0042_windows_audit_handle_manipulation,,,-,title
None,TA0008: Lateral Movement,T1075: Pass the Hash,Pass the Hash Activity 2,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0006: Credential Access,T1098: Account Manipulation,Active Directory User Backdoors,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,-,,,-,title
None,TA0006: Credential Access,T1098: Account Manipulation,Active Directory User Backdoors,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0026_windows_audit_user_account_management,,,-,title
None,TA0003: Persistence,T1098: Account Manipulation,Active Directory User Backdoors,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,-,,,-,title
None,TA0003: Persistence,T1098: Account Manipulation,Active Directory User Backdoors,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,LP_0026_windows_audit_user_account_management,,,-,title
None,TA0006: Credential Access,T1098: Account Manipulation,Active Directory User Backdoors,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,-,,,-,title
None,TA0006: Credential Access,T1098: Account Manipulation,Active Directory User Backdoors,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
None,TA0003: Persistence,T1098: Account Manipulation,Active Directory User Backdoors,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,-,,,-,title
None,TA0003: Persistence,T1098: Account Manipulation,Active Directory User Backdoors,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,QuarksPwDump Clearing Access History,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Kernel-General,DN_0083_16_access_history_in_hive_was_cleared,-,,,-,title
None,TA0003: Persistence,T1178: SID-History Injection,Addition of SID History to Active Directory Object,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0026_windows_audit_user_account_management,,,-,title
None,TA0004: Privilege Escalation,T1178: SID-History Injection,Addition of SID History to Active Directory Object,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0074_4765_sid_history_was_added_to_an_account,LP_0026_windows_audit_user_account_management,,,-,title
None,TA0003: Persistence,T1178: SID-History Injection,Addition of SID History to Active Directory Object,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
None,TA0004: Privilege Escalation,T1178: SID-History Injection,Addition of SID History to Active Directory Object,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
None,TA0003: Persistence,T1178: SID-History Injection,Addition of SID History to Active Directory Object,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0026_windows_audit_user_account_management,,,-,title
None,TA0004: Privilege Escalation,T1178: SID-History Injection,Addition of SID History to Active Directory Object,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0075_4766_attempt_to_add_sid_history_to_an_account_failed,LP_0026_windows_audit_user_account_management,,,-,title
None,TA0004: Privilege Escalation,T1134: Access Token Manipulation,Meterpreter or Cobalt Strike Getsystem Service Installation,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
None,TA0004: Privilege Escalation,T1134: Access Token Manipulation,Meterpreter or Cobalt Strike Getsystem Service Installation,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0100_windows_audit_security_system_extension,,,-,title
None,TA0004: Privilege Escalation,T1134: Access Token Manipulation,Meterpreter or Cobalt Strike Getsystem Service Installation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,-,,,-,title
None,TA0004: Privilege Escalation,T1134: Access Token Manipulation,Meterpreter or Cobalt Strike Getsystem Service Installation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0100_windows_audit_security_system_extension,,,-,title
None,TA0004: Privilege Escalation,T1134: Access Token Manipulation,Meterpreter or Cobalt Strike Getsystem Service Installation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,-,,,-,title
None,TA0004: Privilege Escalation,T1134: Access Token Manipulation,Meterpreter or Cobalt Strike Getsystem Service Installation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0100_windows_audit_security_system_extension,,,-,title
None,TA0008: Lateral Movement,T1075: Pass the Hash,NTLM Logon,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-NTLM/Operational,Microsoft-Windows-NTLM,DN_0082_8002_ntlm_server_blocked_audit,LP_0044_windows_ntlm_audit,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Invoke-Obfuscation Obfuscated IEX Invocation,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Invoke-Obfuscation Obfuscated IEX Invocation,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0100_windows_audit_security_system_extension,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Invoke-Obfuscation Obfuscated IEX Invocation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,-,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Invoke-Obfuscation Obfuscated IEX Invocation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0100_windows_audit_security_system_extension,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Invoke-Obfuscation Obfuscated IEX Invocation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,-,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Invoke-Obfuscation Obfuscated IEX Invocation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0100_windows_audit_security_system_extension,,,-,title
None,TA0008: Lateral Movement,T1078: Valid Accounts,Admin User Remote Logon,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0003: Persistence,T1050: New Service,APT29 Google Update Service Install,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
None,TA0003: Persistence,T1050: New Service,APT29 Google Update Service Install,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1050: New Service,APT29 Google Update Service Install,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1050: New Service,APT29 Google Update Service Install,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1050: New Service,APT29 Google Update Service Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,-,,,-,title
None,TA0003: Persistence,T1050: New Service,APT29 Google Update Service Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1050: New Service,APT29 Google Update Service Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1050: New Service,APT29 Google Update Service Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1050: New Service,APT29 Google Update Service Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,,,-,title
None,TA0003: Persistence,T1050: New Service,APT29 Google Update Service Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1050: New Service,APT29 Google Update Service Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1050: New Service,APT29 Google Update Service Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1050: New Service,APT29 Google Update Service Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,-,,,-,title
None,TA0003: Persistence,T1050: New Service,APT29 Google Update Service Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1050: New Service,APT29 Google Update Service Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1050: New Service,APT29 Google Update Service Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1136: Create Account,Local User Creation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0026_windows_audit_user_account_management,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Transfering Files with Credential Data via Network Shares,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
None,TA0002: Execution,T1053: Scheduled Task,Rare Schtasks Creations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0004: Privilege Escalation,T1053: Scheduled Task,Rare Schtasks Creations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Rare Schtasks Creations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0008: Lateral Movement,T1075: Pass the Hash,Successful Overpass the Hash Attempt,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,Security Eventlog Cleared,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Eventlog,DN_0050_1102_audit_log_was_cleared,-,,,-,title
None,TA0003: Persistence,T1050: New Service,StoneDrill Service Install,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
None,TA0003: Persistence,T1041: Exfiltration Over Command and Control Channel,Suspicious LDAP-Attributes Used,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0026_5136_windows_directory_service_object_was_modified,-,,,-,title
None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,Eventlog Cleared,OS Logs,Windows,Windows Log,System,Microsoft-Windows-Eventlog,DN_0034_104_log_file_was_cleared,-,,,-,title
None,TA0003: Persistence,T1136: Create Account,Suspicious Windows ANONYMOUS LOGON Local Account Created,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0086_4720_user_account_was_created,LP_0026_windows_audit_user_account_management,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DHCP Server Loaded the CallOut DLL,OS Logs,Windows,Applications and Services Logs,System,Microsoft-Windows-DHCP-Server,DN_0048_1033_dhcp_service_successfully_loaded_callout_dlls,-,,,-,title
None,TA0007: Discovery,T1012: Query Registry,SAM Registry Hive Handle Request,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0102_windows_audit_file_system,,,-,title
None,TA0007: Discovery,T1012: Query Registry,SAM Registry Hive Handle Request,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
None,TA0007: Discovery,T1012: Query Registry,SAM Registry Hive Handle Request,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
None,TA0007: Discovery,T1012: Query Registry,SAM Registry Hive Handle Request,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0103_windows_audit_registry,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,MSHTA Suspicious Execution 01,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,MSHTA Suspicious Execution 01,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,MSHTA Suspicious Execution 01,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,MSHTA Suspicious Execution 01,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,MSHTA Suspicious Execution 01,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,MSHTA Suspicious Execution 01,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0001: Initial Access,T1210: Exploitation of Remote Services,Potential RDP Exploit CVE-2019-0708,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,-,,,-,title
None,TA0001: Initial Access,T1190: Exploit Public-Facing Application,Potential RDP Exploit CVE-2019-0708,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,-,,,-,title
None,TA0008: Lateral Movement,T1210: Exploitation of Remote Services,Potential RDP Exploit CVE-2019-0708,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,-,,,-,title
None,TA0008: Lateral Movement,T1190: Exploit Public-Facing Application,Potential RDP Exploit CVE-2019-0708,OS Logs,Windows,Windows Log,System,TermDD,DN_0090_50_terminal_server_security_layer_detected_an_error,-,,,-,title
None,TA0001: Initial Access,T1210: Exploitation of Remote Services,Potential RDP Exploit CVE-2019-0708,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,-,,,-,title
None,TA0001: Initial Access,T1190: Exploit Public-Facing Application,Potential RDP Exploit CVE-2019-0708,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,-,,,-,title
None,TA0008: Lateral Movement,T1210: Exploitation of Remote Services,Potential RDP Exploit CVE-2019-0708,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,-,,,-,title
None,TA0008: Lateral Movement,T1190: Exploit Public-Facing Application,Potential RDP Exploit CVE-2019-0708,OS Logs,Windows,Windows Log,System,TermDD,DN_0089_56_terminal_server_security_layer_detected_an_error,-,,,-,title
None,TA0008: Lateral Movement,T1208: Kerberoasting,Suspicious Outbound Kerberos Connection,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0045_windows_audit_filtering_platform_connection,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,smbexec.py Service Installation,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
None,TA0008: Lateral Movement,T1035: Service Execution,smbexec.py Service Installation,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
None,TA0002: Execution,T1077: Windows Admin Shares,smbexec.py Service Installation,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
None,TA0002: Execution,T1035: Service Execution,smbexec.py Service Installation,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS Server Error Failed Loading the ServerLevelPluginDLL,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0043_770_dns_server_plugin_dll_has_been_loaded,-,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS Server Error Failed Loading the ServerLevelPluginDLL,OS Logs,Windows,Applications and Services Logs,DNS Server,Microsoft-Windows-DNS-Server-Service,DN_0036_150_dns_server_could_not_load_dll,-,,,-,title
None,TA0003: Persistence,T1003: Credential Dumping,Malicious Service Installations,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
None,TA0003: Persistence,T1035: Service Execution,Malicious Service Installations,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
None,TA0003: Persistence,T1050: New Service,Malicious Service Installations,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
None,TA0004: Privilege Escalation,T1003: Credential Dumping,Malicious Service Installations,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
None,TA0004: Privilege Escalation,T1035: Service Execution,Malicious Service Installations,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
None,TA0004: Privilege Escalation,T1050: New Service,Malicious Service Installations,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0007: Discovery,T1075: Pass the Hash,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0007: Discovery,T1075: Pass the Hash,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0007: Discovery,T1114: Email Collection,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0007: Discovery,T1114: Email Collection,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0007: Discovery,T1059: Command-Line Interface,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0007: Discovery,T1059: Command-Line Interface,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0002: Execution,T1087: Account Discovery,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0002: Execution,T1087: Account Discovery,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0002: Execution,T1075: Pass the Hash,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0002: Execution,T1075: Pass the Hash,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0002: Execution,T1114: Email Collection,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0002: Execution,T1114: Email Collection,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0007: Discovery,T1075: Pass the Hash,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0007: Discovery,T1075: Pass the Hash,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0007: Discovery,T1114: Email Collection,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0007: Discovery,T1114: Email Collection,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0007: Discovery,T1059: Command-Line Interface,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0007: Discovery,T1059: Command-Line Interface,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0002: Execution,T1087: Account Discovery,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0002: Execution,T1087: Account Discovery,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0002: Execution,T1075: Pass the Hash,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0002: Execution,T1075: Pass the Hash,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0002: Execution,T1114: Email Collection,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0002: Execution,T1114: Email Collection,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0004_windows_audit_logon,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0007: Discovery,T1075: Pass the Hash,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0004_windows_audit_logon,,,-,title
None,TA0007: Discovery,T1075: Pass the Hash,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0007: Discovery,T1114: Email Collection,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0004_windows_audit_logon,,,-,title
None,TA0007: Discovery,T1114: Email Collection,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0007: Discovery,T1059: Command-Line Interface,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0004_windows_audit_logon,,,-,title
None,TA0007: Discovery,T1059: Command-Line Interface,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0002: Execution,T1087: Account Discovery,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0004_windows_audit_logon,,,-,title
None,TA0002: Execution,T1087: Account Discovery,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0002: Execution,T1075: Pass the Hash,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0004_windows_audit_logon,,,-,title
None,TA0002: Execution,T1075: Pass the Hash,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0002: Execution,T1114: Email Collection,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0004_windows_audit_logon,,,-,title
None,TA0002: Execution,T1114: Email Collection,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0004_windows_audit_logon,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Hacktool Ruler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0002: Execution,T1175: Component Object Model and Distributed COM,MMC20 Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1175: Component Object Model and Distributed COM,MMC20 Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1175: Component Object Model and Distributed COM,MMC20 Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1175: Component Object Model and Distributed COM,MMC20 Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1175: Component Object Model and Distributed COM,MMC20 Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1175: Component Object Model and Distributed COM,MMC20 Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1112: Modify Registry,Remote Registry Management Using Reg Utility,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
None,TA0005: Defense Evasion,T1012: Query Registry,Remote Registry Management Using Reg Utility,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
None,TA0007: Discovery,T1112: Modify Registry,Remote Registry Management Using Reg Utility,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
None,TA0007: Discovery,T1012: Query Registry,Remote Registry Management Using Reg Utility,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
None,TA0005: Defense Evasion,T1222: File and Directory Permissions Modification,AD Object WriteDAC Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0027_windows_audit_directory_service_access,,,-,title
None,TA0004: Privilege Escalation,T1078: Valid Accounts,Enabled User Right in AD to Control User Objects,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0066_4704_user_right_was_assigned,LP_0105_windows_audit_authorization_policy_change,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DHCP Server Error Failed Loading the CallOut DLL,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0049_1034_dhcp_service_failed_to_load_callout_dlls,-,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DHCP Server Error Failed Loading the CallOut DLL,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception,-,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DHCP Server Error Failed Loading the CallOut DLL,OS Logs,Windows,Windows Log,System,Microsoft-Windows-DHCP-Server,DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception,-,,,-,title
None,TA0005: Defense Evasion,T1054: Indicator Blocking,Disabling Windows Event Auditing,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0067_4719_system_audit_policy_was_changed,-,,,-,title
None,TA0003: Persistence,T1050: New Service,Rare Service Installs,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
None,TA0004: Privilege Escalation,T1050: New Service,Rare Service Installs,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
None,TA0008: Lateral Movement,T1078: Valid Accounts,Interactive Logon to Server Systems,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0008: Lateral Movement,T1078: Valid Accounts,Interactive Logon to Server Systems,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0008: Lateral Movement,T1078: Valid Accounts,Interactive Logon to Server Systems,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0040_528_user_successfully_logged_on_to_a_computer,LP_0004_windows_audit_logon,,,-,title
None,TA0008: Lateral Movement,T1078: Valid Accounts,Interactive Logon to Server Systems,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0004_windows_audit_logon,,,-,title
None,TA0003: Persistence,T1098: Account Manipulation,Password Change on Directory Service Restore Mode (DSRM) Account,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0026_windows_audit_user_account_management,,,-,title
None,TA0004: Privilege Escalation,T1098: Account Manipulation,Password Change on Directory Service Restore Mode (DSRM) Account,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0028_4794_directory_services_restore_mode_admin_password_set,LP_0026_windows_audit_user_account_management,,,-,title
None,TA0006: Credential Access,T1212: Exploitation for Credential Access,NetNTLM Downgrade Attack,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0103_windows_audit_registry,,,-,title
None,TA0006: Credential Access,T1212: Exploitation for Credential Access,NetNTLM Downgrade Attack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0103_windows_audit_registry,,,-,title
None,TA0008: Lateral Movement,T1021: Remote Services,Protected Storage Service Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0102_windows_audit_file_system,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0039_windows_audit_kernel_object,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0104_windows_audit_removable_storage,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0103_windows_audit_registry,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0060_4658_handle_to_an_object_was_closed,LP_0042_windows_audit_handle_manipulation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0102_windows_audit_file_system,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0103_windows_audit_registry,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0042_windows_audit_handle_manipulation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0102_windows_audit_file_system,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0039_windows_audit_kernel_object,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0104_windows_audit_removable_storage,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0103_windows_audit_registry,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0042_windows_audit_handle_manipulation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0102_windows_audit_file_system,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0039_windows_audit_kernel_object,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0104_windows_audit_removable_storage,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0103_windows_audit_registry,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,WCE wceaux.dll Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0042_windows_audit_handle_manipulation,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Suspicious PsExec Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0004_windows_audit_logon,,,-,title
None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0042_675_kerberos_preauthentication_failed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0004_windows_audit_logon,,,-,title
None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0077_4769_kerberos_service_ticket_was_requested,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0004_windows_audit_logon,,,-,title
None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0078_4771_kerberos_pre_authentication_failed,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0004_windows_audit_logon,,,-,title
None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0106_windows_audit_kerberos_service_ticket_operations,,,-,title
None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Kerberos Manipulation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0076_4768_kerberos_authentication_ticket_was_requested,LP_0038_windows_audit_kerberos_authentication_service,,,-,title
None,TA0005: Defense Evasion,T1089: Disabling Security Tools,Weak Encryption Enabled and Kerberoast,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,Tap Driver Installation,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,Tap Driver Installation,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0100_windows_audit_security_system_extension,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,Tap Driver Installation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,-,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,Tap Driver Installation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0100_windows_audit_security_system_extension,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,Tap Driver Installation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,-,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,Tap Driver Installation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0063_4697_service_was_installed_in_the_system,LP_0100_windows_audit_security_system_extension,,,-,title
None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Possible Remote Password Change Through SAMR,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Possible Remote Password Change Through SAMR,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0026_windows_audit_user_account_management,,,-,title
None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Possible Remote Password Change Through SAMR,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0029_windows_audit_detailed_file_share,,,-,title
None,TA0006: Credential Access,T1212: Exploitation for Credential Access,Possible Remote Password Change Through SAMR,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0027_4738_user_account_was_changed,LP_0026_windows_audit_user_account_management,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,DPAPI Domain Backup Key Extraction,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0027_windows_audit_directory_service_access,,,-,title
None,TA0004: Privilege Escalation,T1171: LLMNR/NBT-NS Poisoning and Relay,RottenPotato Like Attack Pattern,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0006: Credential Access,T1171: LLMNR/NBT-NS Poisoning and Relay,RottenPotato Like Attack Pattern,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,First Time Seen Remote Named Pipe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
None,TA0002: Execution,T1047: Windows Management Instrumentation,Login with WMI,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0001: Initial Access,T1200: Hardware Additions,USB Device Plugged,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0054_2102_pnp_or_power_operation_for_usb_device,-,,,-,title
None,TA0001: Initial Access,T1200: Hardware Additions,USB Device Plugged,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0053_2100_pnp_or_power_operation_for_usb_device,-,,,-,title
None,TA0001: Initial Access,T1200: Hardware Additions,USB Device Plugged,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-DriverFrameworks-UserMode/Operational,Microsoft-Windows-DriverFrameworks-UserMode,DN_0052_2003_query_to_load_usb_drivers,-,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,LSASS Access from Non System Account,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0102_windows_audit_file_system,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,LSASS Access from Non System Account,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,LSASS Access from Non System Account,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,LSASS Access from Non System Account,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0103_windows_audit_registry,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,LSASS Access from Non System Account,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0102_windows_audit_file_system,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,LSASS Access from Non System Account,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0039_windows_audit_kernel_object,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,LSASS Access from Non System Account,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0104_windows_audit_removable_storage,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,LSASS Access from Non System Account,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0103_windows_audit_registry,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Possible Impacket SecretDump Remote Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
None,TA0003: Persistence,T1050: New Service,Turla PNG Dropper Service,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
None,TA0008: Lateral Movement,T1075: Pass the Hash,Pass the Hash Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0008: Lateral Movement,T1075: Pass the Hash,Pass the Hash Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0004_4624_windows_account_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Active Directory Replication from Non Machine Account,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0027_windows_audit_directory_service_access,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Access to ADMIN$ Share,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0033_5140_network_share_object_was_accessed,LP_0030_windows_audit_file_share,,,-,title
None,TA0004: Privilege Escalation,T1078: Valid Accounts,User Added to Local Administrators,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0069_4732_member_was_added_to_security_enabled_local_group,LP_0101_windows_audit_security_group_management,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Generic Password Dumper Activity on LSASS,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0102_windows_audit_file_system,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Generic Password Dumper Activity on LSASS,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Generic Password Dumper Activity on LSASS,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Generic Password Dumper Activity on LSASS,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0103_windows_audit_registry,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Generic Password Dumper Activity on LSASS,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0102_windows_audit_file_system,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Generic Password Dumper Activity on LSASS,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0039_windows_audit_kernel_object,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Generic Password Dumper Activity on LSASS,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0104_windows_audit_removable_storage,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Generic Password Dumper Activity on LSASS,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0103_windows_audit_registry,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Password Dumper Activity on LSASS,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0102_windows_audit_file_system,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Password Dumper Activity on LSASS,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Password Dumper Activity on LSASS,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Password Dumper Activity on LSASS,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0103_windows_audit_registry,,,-,title
None,TA0005: Defense Evasion,T1076: Remote Desktop Protocol,RDP over Reverse SSH Tunnel WFP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0045_windows_audit_filtering_platform_connection,,,-,title
None,TA0005: Defense Evasion,T1090: Connection Proxy,RDP over Reverse SSH Tunnel WFP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0045_windows_audit_filtering_platform_connection,,,-,title
None,TA0011: Command and Control,T1076: Remote Desktop Protocol,RDP over Reverse SSH Tunnel WFP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0045_windows_audit_filtering_platform_connection,,,-,title
None,TA0011: Command and Control,T1090: Connection Proxy,RDP over Reverse SSH Tunnel WFP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0045_windows_audit_filtering_platform_connection,,,-,title
None,TA0008: Lateral Movement,T1076: Remote Desktop Protocol,RDP over Reverse SSH Tunnel WFP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0045_windows_audit_filtering_platform_connection,,,-,title
None,TA0008: Lateral Movement,T1090: Connection Proxy,RDP over Reverse SSH Tunnel WFP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0087_5156_windows_filtering_platform_has_permitted_connection,LP_0045_windows_audit_filtering_platform_connection,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,AD User Enumeration,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0030_4662_operation_was_performed_on_an_object,LP_0027_windows_audit_directory_service_access,,,-,title
None,TA0008: Lateral Movement,T1053: Scheduled Task,Remote Task Creation via ATSVC Named Pipe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Remote Task Creation via ATSVC Named Pipe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0032_5145_network_share_object_was_accessed_detailed,LP_0029_windows_audit_detailed_file_share,,,-,title
None,TA0008: Lateral Movement,T1210: Exploitation of Remote Services,Scanner PoC for CVE-2019-0708 RDP RCE Vuln,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0003: Persistence,T1078: Valid Accounts,Failed Logins with Different Accounts from Single Source System,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0003: Persistence,T1078: Valid Accounts,Failed Logins with Different Accounts from Single Source System,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0004: Privilege Escalation,T1078: Valid Accounts,Failed Logins with Different Accounts from Single Source System,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0004_windows_audit_logon,,,-,title
None,TA0004: Privilege Escalation,T1078: Valid Accounts,Failed Logins with Different Accounts from Single Source System,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0057_4625_account_failed_to_logon,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0003: Persistence,T1078: Valid Accounts,Failed Logins with Different Accounts from Single Source System,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0004_windows_audit_logon,,,-,title
None,TA0003: Persistence,T1078: Valid Accounts,Failed Logins with Different Accounts from Single Source System,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0004: Privilege Escalation,T1078: Valid Accounts,Failed Logins with Different Accounts from Single Source System,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0004_windows_audit_logon,,,-,title
None,TA0004: Privilege Escalation,T1078: Valid Accounts,Failed Logins with Different Accounts from Single Source System,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0079_4776_computer_attempted_to_validate_the_credentials_for_an_account,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0003: Persistence,T1078: Valid Accounts,Failed Logins with Different Accounts from Single Source System,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0004_windows_audit_logon,,,-,title
None,TA0003: Persistence,T1078: Valid Accounts,Failed Logins with Different Accounts from Single Source System,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0004: Privilege Escalation,T1078: Valid Accounts,Failed Logins with Different Accounts from Single Source System,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0004_windows_audit_logon,,,-,title
None,TA0004: Privilege Escalation,T1078: Valid Accounts,Failed Logins with Different Accounts from Single Source System,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0041_529_logon_failure,LP_0107_windows_audit_credential_validation,,,-,title
None,TA0003: Persistence,T1100: Web Shell,Antivirus Web Shell Detection,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,-,,,-,title
None,TA0002: Execution,T1203: Exploitation for Client Execution,Antivirus Exploitation Framework Detection,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,-,,,-,title
None,TA0002: Execution,T1219: Remote Access Tools,Antivirus Exploitation Framework Detection,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,-,,,-,title
None,TA0011: Command and Control,T1203: Exploitation for Client Execution,Antivirus Exploitation Framework Detection,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,-,,,-,title
None,TA0011: Command and Control,T1219: Remote Access Tools,Antivirus Exploitation Framework Detection,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,-,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Antivirus Password Dumper Detection,AV Alerts,antivirus,None,None,None,DN_0084_av_alert,-,,,-,title
None,TA0002: Execution,T1112: Modify Registry,Ursnif,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0002: Execution,T1035: Service Execution,PsExec Tool Execution,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,-,,,-,title
None,TA0002: Execution,T1035: Service Execution,PsExec Tool Execution,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1035: Service Execution,PsExec Tool Execution,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,-,,,-,title
None,TA0002: Execution,T1035: Service Execution,PsExec Tool Execution,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0031_7036_service_started_stopped,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1035: Service Execution,PsExec Tool Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,,,-,title
None,TA0002: Execution,T1035: Service Execution,PsExec Tool Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1089: Disabling Security Tools,Windows Defender Exclusion Set,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0102_windows_audit_file_system,,,-,title
None,TA0005: Defense Evasion,T1089: Disabling Security Tools,Windows Defender Exclusion Set,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0039_windows_audit_kernel_object,,,-,title
None,TA0005: Defense Evasion,T1089: Disabling Security Tools,Windows Defender Exclusion Set,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0104_windows_audit_removable_storage,,,-,title
None,TA0005: Defense Evasion,T1089: Disabling Security Tools,Windows Defender Exclusion Set,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0058_4656_handle_to_an_object_was_requested,LP_0103_windows_audit_registry,,,-,title
None,TA0005: Defense Evasion,T1089: Disabling Security Tools,Windows Defender Exclusion Set,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0102_windows_audit_file_system,,,-,title
None,TA0005: Defense Evasion,T1089: Disabling Security Tools,Windows Defender Exclusion Set,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0039_windows_audit_kernel_object,,,-,title
None,TA0005: Defense Evasion,T1089: Disabling Security Tools,Windows Defender Exclusion Set,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0104_windows_audit_removable_storage,,,-,title
None,TA0005: Defense Evasion,T1089: Disabling Security Tools,Windows Defender Exclusion Set,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0061_4660_object_was_deleted,LP_0103_windows_audit_registry,,,-,title
None,TA0005: Defense Evasion,T1089: Disabling Security Tools,Windows Defender Exclusion Set,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0102_windows_audit_file_system,,,-,title
None,TA0005: Defense Evasion,T1089: Disabling Security Tools,Windows Defender Exclusion Set,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0039_windows_audit_kernel_object,,,-,title
None,TA0005: Defense Evasion,T1089: Disabling Security Tools,Windows Defender Exclusion Set,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0104_windows_audit_removable_storage,,,-,title
None,TA0005: Defense Evasion,T1089: Disabling Security Tools,Windows Defender Exclusion Set,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0059_4657_registry_value_was_modified,LP_0103_windows_audit_registry,,,-,title
None,TA0005: Defense Evasion,T1089: Disabling Security Tools,Windows Defender Exclusion Set,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0102_windows_audit_file_system,,,-,title
None,TA0005: Defense Evasion,T1089: Disabling Security Tools,Windows Defender Exclusion Set,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0039_windows_audit_kernel_object,,,-,title
None,TA0005: Defense Evasion,T1089: Disabling Security Tools,Windows Defender Exclusion Set,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0104_windows_audit_removable_storage,,,-,title
None,TA0005: Defense Evasion,T1089: Disabling Security Tools,Windows Defender Exclusion Set,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0062_4663_attempt_was_made_to_access_an_object,LP_0103_windows_audit_registry,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Rare Scheduled Task Creations,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-TaskScheduler/Operational,Microsoft-Windows-TaskScheduler,DN_0035_106_task_scheduler_task_registered,-,,,-,title
None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,-,,,-,title
None,TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0081_5861_wmi_activity,-,,,-,title
None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,-,,,-,title
None,TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-WMI-Activity/Operational,Microsoft-Windows-WMI-Activity,DN_0080_5859_wmi_activity,-,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,PowerShell Downgrade Attack,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,-,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Downgrade Attack,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,-,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Invoke-Obfuscation Obfuscated IEX Invocation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0108_windows_powershell_module_logging,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Invoke-Obfuscation Obfuscated IEX Invocation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0109_windows_powershell_script_block_logging,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Invoke-Obfuscation Obfuscated IEX Invocation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0108_windows_powershell_module_logging,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Invoke-Obfuscation Obfuscated IEX Invocation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0109_windows_powershell_script_block_logging,,,-,title
None,TA0005: Defense Evasion,T1096: NTFS File Attributes,NTFS Alternate Data Stream,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0108_windows_powershell_module_logging,,,-,title
None,TA0005: Defense Evasion,T1096: NTFS File Attributes,NTFS Alternate Data Stream,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0109_windows_powershell_script_block_logging,,,-,title
None,TA0005: Defense Evasion,T1096: NTFS File Attributes,NTFS Alternate Data Stream,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0108_windows_powershell_module_logging,,,-,title
None,TA0005: Defense Evasion,T1096: NTFS File Attributes,NTFS Alternate Data Stream,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0109_windows_powershell_script_block_logging,,,-,title
None,TA0002: Execution,T1047: Windows Management Instrumentation,WMImplant Hack Tool,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0109_windows_powershell_script_block_logging,,,-,title
None,TA0002: Execution,T1086: PowerShell,Remote PowerShell Session,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0108_windows_powershell_module_logging,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Credential Prompt,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0109_windows_powershell_script_block_logging,,,-,title
None,TA0006: Credential Access,T1086: PowerShell,PowerShell Credential Prompt,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0109_windows_powershell_script_block_logging,,,-,title
None,TA0002: Execution,T1086: PowerShell,Malicious Nishang PowerShell Commandlets,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0108_windows_powershell_module_logging,,,-,title
None,TA0002: Execution,T1086: PowerShell,Malicious Nishang PowerShell Commandlets,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0109_windows_powershell_script_block_logging,,,-,title
None,TA0002: Execution,T1086: PowerShell,Malicious Nishang PowerShell Commandlets,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0108_windows_powershell_module_logging,,,-,title
None,TA0002: Execution,T1086: PowerShell,Malicious Nishang PowerShell Commandlets,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0109_windows_powershell_script_block_logging,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,PowerShell Called from an Executable Version Mismatch,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,-,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Called from an Executable Version Mismatch,OS Logs,Windows,Applications and Services Logs,Windows PowerShell,PowerShell,DN_0038_400_engine_state_is_changed_from_none_to_available,-,,,-,title
None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Invocations - Generic,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0108_windows_powershell_module_logging,,,-,title
None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Invocations - Generic,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0109_windows_powershell_script_block_logging,,,-,title
None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Invocations - Generic,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0108_windows_powershell_module_logging,,,-,title
None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Invocations - Generic,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0109_windows_powershell_script_block_logging,,,-,title
None,TA0004: Privilege Escalation,T1055: Process Injection,PowerShell ShellCode,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0109_windows_powershell_script_block_logging,,,-,title
None,TA0004: Privilege Escalation,T1086: PowerShell,PowerShell ShellCode,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0109_windows_powershell_script_block_logging,,,-,title
None,TA0002: Execution,T1055: Process Injection,PowerShell ShellCode,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0109_windows_powershell_script_block_logging,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell ShellCode,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0109_windows_powershell_script_block_logging,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,Dnscat Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0109_windows_powershell_script_block_logging,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell PSAttack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0108_windows_powershell_module_logging,,,-,title
None,TA0010: Exfiltration,T1002: Data Compressed,Data Compressed - Powershell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0109_windows_powershell_script_block_logging,,,-,title
None,TA0002: Execution,T1086: PowerShell,Alternate PowerShell Hosts,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0108_windows_powershell_module_logging,,,-,title
None,TA0003: Persistence,T1004: Winlogon Helper DLL,Winlogon Helper DLL,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0109_windows_powershell_script_block_logging,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Create Local User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0109_windows_powershell_script_block_logging,,,-,title
None,TA0002: Execution,T1136: Create Account,PowerShell Create Local User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0109_windows_powershell_script_block_logging,,,-,title
None,TA0003: Persistence,T1086: PowerShell,PowerShell Create Local User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0109_windows_powershell_script_block_logging,,,-,title
None,TA0003: Persistence,T1136: Create Account,PowerShell Create Local User,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0109_windows_powershell_script_block_logging,,,-,title
None,TA0005: Defense Evasion,T1146: Clear Command History,Clear PowerShell History,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0108_windows_powershell_module_logging,,,-,title
None,TA0005: Defense Evasion,T1146: Clear Command History,Clear PowerShell History,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0037_4103_windows_powershell_executing_pipeline,LP_0109_windows_powershell_script_block_logging,,,-,title
None,TA0005: Defense Evasion,T1146: Clear Command History,Clear PowerShell History,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0108_windows_powershell_module_logging,,,-,title
None,TA0005: Defense Evasion,T1146: Clear Command History,Clear PowerShell History,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-PowerShell,DN_0036_4104_windows_powershell_script_block,LP_0109_windows_powershell_script_block_logging,,,-,title
None,TA0004: Privilege Escalation,T1053: Scheduled Task,Interactive AT Job,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1053: Scheduled Task,Interactive AT Job,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1053: Scheduled Task,Interactive AT Job,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1053: Scheduled Task,Interactive AT Job,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1053: Scheduled Task,Interactive AT Job,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1053: Scheduled Task,Interactive AT Job,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1047: Windows Management Instrumentation,WMI Persistence - Script Event Consumer,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,WSF/JSE/JS/VBA/VBE File Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,WSF/JSE/JS/VBA/VBE File Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1064: Scripting,WSF/JSE/JS/VBA/VBE File Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,WSF/JSE/JS/VBA/VBE File Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,WSF/JSE/JS/VBA/VBE File Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1064: Scripting,WSF/JSE/JS/VBA/VBE File Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Winnti Malware HK University Campaign,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Winnti Malware HK University Campaign,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Winnti Malware HK University Campaign,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Winnti Malware HK University Campaign,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Winnti Malware HK University Campaign,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Winnti Malware HK University Campaign,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Suspicious XOR Encoded PowerShell Command Line,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Suspicious XOR Encoded PowerShell Command Line,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Suspicious XOR Encoded PowerShell Command Line,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Suspicious XOR Encoded PowerShell Command Line,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Suspicious XOR Encoded PowerShell Command Line,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Suspicious XOR Encoded PowerShell Command Line,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Invocation Based on Parent Process,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0010: Exfiltration,T1020: Automated Exfiltration,Suspicious Compression Tool Parameters,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0010: Exfiltration,T1002: Data Compressed,Suspicious Compression Tool Parameters,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1047: Windows Management Instrumentation,Suspicious WMI Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1047: Windows Management Instrumentation,Suspicious WMI Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1047: Windows Management Instrumentation,Suspicious WMI Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1047: Windows Management Instrumentation,Suspicious WMI Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1047: Windows Management Instrumentation,Suspicious WMI Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1047: Windows Management Instrumentation,Suspicious WMI Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1031: Modify Existing Service,Suspicious Service Path Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1031: Modify Existing Service,Suspicious Service Path Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1031: Modify Existing Service,Suspicious Service Path Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1031: Modify Existing Service,Suspicious Service Path Modification,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1031: Modify Existing Service,Suspicious Service Path Modification,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1031: Modify Existing Service,Suspicious Service Path Modification,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1047: Windows Management Instrumentation,Impacket Lateralization Detection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1175: Component Object Model and Distributed COM,Impacket Lateralization Detection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1060: Registry Run Keys / Startup Folder,Direct Autorun Keys Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1060: Registry Run Keys / Startup Folder,Direct Autorun Keys Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1060: Registry Run Keys / Startup Folder,Direct Autorun Keys Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1060: Registry Run Keys / Startup Folder,Direct Autorun Keys Modification,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1060: Registry Run Keys / Startup Folder,Direct Autorun Keys Modification,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1060: Registry Run Keys / Startup Folder,Direct Autorun Keys Modification,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Taskmgr as LOCAL_SYSTEM,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1068: Exploitation for Privilege Escalation,Windows Kernel and 3rd-Party Drivers Exploits Token Stealing,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1068: Exploitation for Privilege Escalation,Windows Kernel and 3rd-Party Drivers Exploits Token Stealing,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,EN_0002_enrich_sysmon_event_id_1_with_parent_info,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0002: Execution,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,Powershell AMSI Bypass via .NET Reflection,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1027: Obfuscated Files or Information,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1027: Obfuscated Files or Information,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1027: Obfuscated Files or Information,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1049: System Network Connections Discovery,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1049: System Network Connections Discovery,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1049: System Network Connections Discovery,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1135: Network Share Discovery,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1135: Network Share Discovery,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1135: Network Share Discovery,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1027: Obfuscated Files or Information,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1027: Obfuscated Files or Information,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1027: Obfuscated Files or Information,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1049: System Network Connections Discovery,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1049: System Network Connections Discovery,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1049: System Network Connections Discovery,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1077: Windows Admin Shares,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1077: Windows Admin Shares,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1077: Windows Admin Shares,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1135: Network Share Discovery,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1135: Network Share Discovery,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1135: Network Share Discovery,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1049: System Network Connections Discovery,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1049: System Network Connections Discovery,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1049: System Network Connections Discovery,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1077: Windows Admin Shares,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1077: Windows Admin Shares,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1077: Windows Admin Shares,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1135: Network Share Discovery,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1135: Network Share Discovery,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1135: Network Share Discovery,Net.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1027: Obfuscated Files or Information,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1027: Obfuscated Files or Information,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1027: Obfuscated Files or Information,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1049: System Network Connections Discovery,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1049: System Network Connections Discovery,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1049: System Network Connections Discovery,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1135: Network Share Discovery,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1135: Network Share Discovery,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1135: Network Share Discovery,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1027: Obfuscated Files or Information,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1027: Obfuscated Files or Information,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1027: Obfuscated Files or Information,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1049: System Network Connections Discovery,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1049: System Network Connections Discovery,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1049: System Network Connections Discovery,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1077: Windows Admin Shares,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1077: Windows Admin Shares,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1077: Windows Admin Shares,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1135: Network Share Discovery,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1135: Network Share Discovery,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1135: Network Share Discovery,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1049: System Network Connections Discovery,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1049: System Network Connections Discovery,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1049: System Network Connections Discovery,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1077: Windows Admin Shares,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1077: Windows Admin Shares,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1077: Windows Admin Shares,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1135: Network Share Discovery,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1135: Network Share Discovery,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1135: Network Share Discovery,Net.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Command Line,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Command Line,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Command Line,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Command Line,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Command Line,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz Command Line,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1127: Trusted Developer Utilities,Microsoft Workflow Compiler,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1003: Credential Dumping,NotPetya Ransomware Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1035: Service Execution,PsExec Service Start,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1035: Service Execution,PsExec Service Start,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious GUP Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1218: Signed Binary Proxy Execution,Psr.exe Capture Screenshots,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1218: Signed Binary Proxy Execution,Psr.exe Capture Screenshots,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1218: Signed Binary Proxy Execution,Psr.exe Capture Screenshots,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1218: Signed Binary Proxy Execution,Psr.exe Capture Screenshots,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1218: Signed Binary Proxy Execution,Psr.exe Capture Screenshots,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1218: Signed Binary Proxy Execution,Psr.exe Capture Screenshots,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Fireball Archer Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Fireball Archer Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Fireball Archer Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Fireball Archer Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Fireball Archer Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1085: Rundll32,Fireball Archer Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Fireball Archer Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Fireball Archer Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Fireball Archer Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Fireball Archer Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Fireball Archer Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Fireball Archer Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Fireball Archer Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Fireball Archer Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Fireball Archer Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Fireball Archer Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Fireball Archer Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1085: Rundll32,Fireball Archer Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Fireball Archer Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Fireball Archer Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Fireball Archer Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Fireball Archer Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Fireball Archer Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Fireball Archer Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1117: Regsvr32,BlueMashroom DLL Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1117: Regsvr32,BlueMashroom DLL Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1117: Regsvr32,BlueMashroom DLL Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1117: Regsvr32,BlueMashroom DLL Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1117: Regsvr32,BlueMashroom DLL Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1117: Regsvr32,BlueMashroom DLL Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1138: Application Shimming,Possible Shim Database Persistence via sdbinst.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1138: Application Shimming,Possible Shim Database Persistence via sdbinst.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1138: Application Shimming,Possible Shim Database Persistence via sdbinst.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1138: Application Shimming,Possible Shim Database Persistence via sdbinst.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1138: Application Shimming,Possible Shim Database Persistence via sdbinst.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1138: Application Shimming,Possible Shim Database Persistence via sdbinst.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1175: Component Object Model and Distributed COM,MMC Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1175: Component Object Model and Distributed COM,MMC Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1175: Component Object Model and Distributed COM,MMC Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1175: Component Object Model and Distributed COM,MMC Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1175: Component Object Model and Distributed COM,MMC Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1175: Component Object Model and Distributed COM,MMC Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Svchost Process,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Svchost Process,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Svchost Process,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Svchost Process,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Svchost Process,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Svchost Process,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0011: Command and Control,T1090: Connection Proxy,Netsh,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0011: Command and Control,T1090: Connection Proxy,Netsh,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0011: Command and Control,T1090: Connection Proxy,Netsh,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0011: Command and Control,T1090: Connection Proxy,Netsh,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0011: Command and Control,T1090: Connection Proxy,Netsh,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0011: Command and Control,T1090: Connection Proxy,Netsh,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,Shadow Copies Deletion Using Operating Systems Utilities,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,Shadow Copies Deletion Using Operating Systems Utilities,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1490: Inhibit System Recovery,Shadow Copies Deletion Using Operating Systems Utilities,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1490: Inhibit System Recovery,Shadow Copies Deletion Using Operating Systems Utilities,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0040: Impact,T1070: Indicator Removal on Host,Shadow Copies Deletion Using Operating Systems Utilities,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0040: Impact,T1070: Indicator Removal on Host,Shadow Copies Deletion Using Operating Systems Utilities,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0040: Impact,T1490: Inhibit System Recovery,Shadow Copies Deletion Using Operating Systems Utilities,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0040: Impact,T1490: Inhibit System Recovery,Shadow Copies Deletion Using Operating Systems Utilities,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Bypass UAC via Fodhelper.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Bypass UAC via Fodhelper.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Bypass UAC via Fodhelper.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Bypass UAC via Fodhelper.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Bypass UAC via Fodhelper.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Bypass UAC via Fodhelper.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,WMIExec VBS Script,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,WMIExec VBS Script,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1064: Scripting,WMIExec VBS Script,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,WMIExec VBS Script,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,WMIExec VBS Script,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1064: Scripting,WMIExec VBS Script,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,Tap Installer Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,Tap Installer Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,Tap Installer Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,Tap Installer Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,Tap Installer Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,Tap Installer Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,Tap Installer Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,Tap Installer Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,Tap Installer Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1170: Mshta,Koadic Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1170: Mshta,Koadic Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1170: Mshta,Koadic Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1170: Mshta,Koadic Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1170: Mshta,Koadic Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1170: Mshta,Koadic Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1015: Accessibility Features,Suspicious Debugger Registration Cmdline,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Suspicious Encoded PowerShell Command Line,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Suspicious Encoded PowerShell Command Line,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Suspicious Encoded PowerShell Command Line,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Suspicious Encoded PowerShell Command Line,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Suspicious Encoded PowerShell Command Line,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Suspicious Encoded PowerShell Command Line,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,Tasks Folder Evasion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,Tasks Folder Evasion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,Tasks Folder Evasion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Tasks Folder Evasion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Tasks Folder Evasion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Tasks Folder Evasion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Tasks Folder Evasion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Tasks Folder Evasion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Tasks Folder Evasion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1064: Scripting,Tasks Folder Evasion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1064: Scripting,Tasks Folder Evasion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1064: Scripting,Tasks Folder Evasion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1211: Exploitation for Defense Evasion,Tasks Folder Evasion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1211: Exploitation for Defense Evasion,Tasks Folder Evasion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1211: Exploitation for Defense Evasion,Tasks Folder Evasion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1059: Command-Line Interface,Tasks Folder Evasion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1059: Command-Line Interface,Tasks Folder Evasion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1059: Command-Line Interface,Tasks Folder Evasion,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,Tasks Folder Evasion,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,Tasks Folder Evasion,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,Tasks Folder Evasion,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Tasks Folder Evasion,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Tasks Folder Evasion,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Tasks Folder Evasion,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Tasks Folder Evasion,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Tasks Folder Evasion,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Tasks Folder Evasion,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1064: Scripting,Tasks Folder Evasion,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1064: Scripting,Tasks Folder Evasion,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1064: Scripting,Tasks Folder Evasion,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1211: Exploitation for Defense Evasion,Tasks Folder Evasion,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1211: Exploitation for Defense Evasion,Tasks Folder Evasion,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1211: Exploitation for Defense Evasion,Tasks Folder Evasion,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1059: Command-Line Interface,Tasks Folder Evasion,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1059: Command-Line Interface,Tasks Folder Evasion,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1059: Command-Line Interface,Tasks Folder Evasion,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Execution in Outlook Temp Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0002: Execution,T1086: PowerShell,Malicious Base64 Encoded PowerShell Keywords in Command Lines,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Malicious Base64 Encoded PowerShell Keywords in Command Lines,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Malicious Base64 Encoded PowerShell Keywords in Command Lines,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Malicious Base64 Encoded PowerShell Keywords in Command Lines,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Malicious Base64 Encoded PowerShell Keywords in Command Lines,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Malicious Base64 Encoded PowerShell Keywords in Command Lines,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Download from URL,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Download from URL,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Download from URL,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Download from URL,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Download from URL,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Download from URL,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dxcap.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dxcap.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dxcap.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dxcap.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dxcap.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dxcap.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dxcap.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dxcap.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dxcap.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dxcap.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dxcap.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dxcap.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1127: Trusted Developer Utilities,Suspicious Use of CSharp Interactive Console,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,OpenWith.exe Executes Specified Binary,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,OpenWith.exe Executes Specified Binary,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,OpenWith.exe Executes Specified Binary,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,OpenWith.exe Executes Specified Binary,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,OpenWith.exe Executes Specified Binary,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,OpenWith.exe Executes Specified Binary,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,OpenWith.exe Executes Specified Binary,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,OpenWith.exe Executes Specified Binary,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,OpenWith.exe Executes Specified Binary,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,OpenWith.exe Executes Specified Binary,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,OpenWith.exe Executes Specified Binary,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,OpenWith.exe Executes Specified Binary,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Grabbing Sensitive Hives via Reg Utility,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Grabbing Sensitive Hives via Reg Utility,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1208: Kerberoasting,Possible SPN Enumeration,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1018: Remote System Discovery,Windows Network Enumeration,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1018: Remote System Discovery,Windows Network Enumeration,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1018: Remote System Discovery,Windows Network Enumeration,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1018: Remote System Discovery,Windows Network Enumeration,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1018: Remote System Discovery,Windows Network Enumeration,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1018: Remote System Discovery,Windows Network Enumeration,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0040: Impact,T1490: Inhibit System Recovery,Modification of Boot Configuration,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0040: Impact,T1490: Inhibit System Recovery,Modification of Boot Configuration,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0040: Impact,T1490: Inhibit System Recovery,Modification of Boot Configuration,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0040: Impact,T1490: Inhibit System Recovery,Modification of Boot Configuration,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0040: Impact,T1490: Inhibit System Recovery,Modification of Boot Configuration,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0040: Impact,T1490: Inhibit System Recovery,Modification of Boot Configuration,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Bloodhound and Sharphound Hack Tool,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Bloodhound and Sharphound Hack Tool,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Bloodhound and Sharphound Hack Tool,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Bloodhound and Sharphound Hack Tool,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Bloodhound and Sharphound Hack Tool,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Bloodhound and Sharphound Hack Tool,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1046: Network Service Scanning,Java Running with Remote Debugging,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1046: Network Service Scanning,Java Running with Remote Debugging,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1046: Network Service Scanning,Java Running with Remote Debugging,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1046: Network Service Scanning,Java Running with Remote Debugging,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1046: Network Service Scanning,Java Running with Remote Debugging,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1046: Network Service Scanning,Java Running with Remote Debugging,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1047: Windows Management Instrumentation,Wmiprvse Spawning Process,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Dridex Process Pattern,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1158: Hidden Files and Directories,Hiding Files with Attrib.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1158: Hidden Files and Directories,Hiding Files with Attrib.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1118: InstallUtil,Possible Applocker Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1118: InstallUtil,Possible Applocker Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1118: InstallUtil,Possible Applocker Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1121: Regsvcs/Regasm,Possible Applocker Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1121: Regsvcs/Regasm,Possible Applocker Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1121: Regsvcs/Regasm,Possible Applocker Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Possible Applocker Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Possible Applocker Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Possible Applocker Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,Possible Applocker Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,Possible Applocker Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,Possible Applocker Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1118: InstallUtil,Possible Applocker Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1118: InstallUtil,Possible Applocker Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1118: InstallUtil,Possible Applocker Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1121: Regsvcs/Regasm,Possible Applocker Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1121: Regsvcs/Regasm,Possible Applocker Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1121: Regsvcs/Regasm,Possible Applocker Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Possible Applocker Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Possible Applocker Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1127: Trusted Developer Utilities,Possible Applocker Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,Possible Applocker Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,Possible Applocker Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,Possible Applocker Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0009: Collection,T1123: Audio Capture,Audio Capture via PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0009: Collection,T1123: Audio Capture,Audio Capture via PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0009: Collection,T1123: Audio Capture,Audio Capture via PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0009: Collection,T1123: Audio Capture,Audio Capture via PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0009: Collection,T1123: Audio Capture,Audio Capture via PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0009: Collection,T1123: Audio Capture,Audio Capture via PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1033: System Owner/User Discovery,Run Whoami as SYSTEM,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1033: System Owner/User Discovery,Run Whoami as SYSTEM,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Renamed Binary,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Sofacy Trojan Loader Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Sofacy Trojan Loader Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Sofacy Trojan Loader Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Sofacy Trojan Loader Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Sofacy Trojan Loader Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1085: Rundll32,Sofacy Trojan Loader Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Sofacy Trojan Loader Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Sofacy Trojan Loader Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Sofacy Trojan Loader Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Sofacy Trojan Loader Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Sofacy Trojan Loader Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Sofacy Trojan Loader Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Sofacy Trojan Loader Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Sofacy Trojan Loader Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Sofacy Trojan Loader Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Sofacy Trojan Loader Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Sofacy Trojan Loader Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1085: Rundll32,Sofacy Trojan Loader Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Sofacy Trojan Loader Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Sofacy Trojan Loader Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Sofacy Trojan Loader Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Sofacy Trojan Loader Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Sofacy Trojan Loader Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Sofacy Trojan Loader Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0011: Command and Control,T1105: Remote File Copy,Malicious Payload Download via Office Binaries,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0011: Command and Control,T1105: Remote File Copy,Malicious Payload Download via Office Binaries,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0011: Command and Control,T1105: Remote File Copy,Malicious Payload Download via Office Binaries,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0011: Command and Control,T1105: Remote File Copy,Malicious Payload Download via Office Binaries,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0011: Command and Control,T1105: Remote File Copy,Malicious Payload Download via Office Binaries,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0011: Command and Control,T1105: Remote File Copy,Malicious Payload Download via Office Binaries,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1055: Process Injection,Exploiting SetupComplete.cmd CVE-2019-1378,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1055: Process Injection,Exploiting SetupComplete.cmd CVE-2019-1378,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dnx.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dnx.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dnx.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dnx.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dnx.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dnx.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dnx.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dnx.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dnx.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dnx.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dnx.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dnx.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dnx.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dnx.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dnx.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dnx.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dnx.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Dnx.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1202: Indirect Command Execution,MS Office Product Spawning Exe in User Dir,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Bginfo,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Bginfo,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Bginfo,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Bginfo,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Bginfo,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Bginfo,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Bginfo,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Bginfo,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Bginfo,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Bginfo,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Bginfo,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via Bginfo,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Parent of Csc.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Parent of Csc.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Parent of Csc.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Parent of Csc.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Parent of Csc.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Parent of Csc.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,FromBase64String Command Line,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,FromBase64String Command Line,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,FromBase64String Command Line,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,FromBase64String Command Line,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,FromBase64String Command Line,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,FromBase64String Command Line,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1053: Scheduled Task,Windows 10 Scheduled Task SandboxEscaper 0-day,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1053: Scheduled Task,Windows 10 Scheduled Task SandboxEscaper 0-day,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1053: Scheduled Task,Windows 10 Scheduled Task SandboxEscaper 0-day,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1053: Scheduled Task,Windows 10 Scheduled Task SandboxEscaper 0-day,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1053: Scheduled Task,Windows 10 Scheduled Task SandboxEscaper 0-day,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1053: Scheduled Task,Windows 10 Scheduled Task SandboxEscaper 0-day,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1053: Scheduled Task,Windows 10 Scheduled Task SandboxEscaper 0-day,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1053: Scheduled Task,Windows 10 Scheduled Task SandboxEscaper 0-day,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1053: Scheduled Task,Windows 10 Scheduled Task SandboxEscaper 0-day,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1053: Scheduled Task,Windows 10 Scheduled Task SandboxEscaper 0-day,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1053: Scheduled Task,Windows 10 Scheduled Task SandboxEscaper 0-day,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1053: Scheduled Task,Windows 10 Scheduled Task SandboxEscaper 0-day,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1059: Command-Line Interface,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1077: Windows Admin Shares,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1083: File and Directory Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1135: Network Share Discovery,Turla Group Lateral Movement,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Empire PowerShell Launch Parameters,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Empire PowerShell Launch Parameters,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Empire PowerShell Launch Parameters,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Empire PowerShell Launch Parameters,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Empire PowerShell Launch Parameters,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Empire PowerShell Launch Parameters,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0010: Exfiltration,T1002: Data Compressed,Data Compressed - rar.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0010: Exfiltration,T1002: Data Compressed,Data Compressed - rar.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0010: Exfiltration,T1002: Data Compressed,Data Compressed - rar.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0010: Exfiltration,T1002: Data Compressed,Data Compressed - rar.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0010: Exfiltration,T1002: Data Compressed,Data Compressed - rar.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0010: Exfiltration,T1002: Data Compressed,Data Compressed - rar.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Suspicious Execution from Outlook,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Suspicious Execution from Outlook,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Suspicious Execution from Outlook,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious Execution from Outlook,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious Execution from Outlook,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious Execution from Outlook,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Suspicious Execution from Outlook,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Suspicious Execution from Outlook,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Suspicious Execution from Outlook,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious Execution from Outlook,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious Execution from Outlook,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious Execution from Outlook,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1068: Exploitation for Privilege Escalation,Hurricane Panda Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1068: Exploitation for Privilege Escalation,Hurricane Panda Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1068: Exploitation for Privilege Escalation,Hurricane Panda Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1068: Exploitation for Privilege Escalation,Hurricane Panda Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1068: Exploitation for Privilege Escalation,Hurricane Panda Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1068: Exploitation for Privilege Escalation,Hurricane Panda Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Curl Start Combination,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Curl Start Combination,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Curl Start Combination,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Curl Start Combination,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Curl Start Combination,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Curl Start Combination,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Encoded FromBase64String,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Encoded FromBase64String,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Encoded FromBase64String,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1140: Deobfuscate/Decode Files or Information,Encoded FromBase64String,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1140: Deobfuscate/Decode Files or Information,Encoded FromBase64String,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1140: Deobfuscate/Decode Files or Information,Encoded FromBase64String,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,Encoded FromBase64String,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,Encoded FromBase64String,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,Encoded FromBase64String,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Encoded FromBase64String,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Encoded FromBase64String,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Encoded FromBase64String,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Encoded FromBase64String,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Encoded FromBase64String,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Encoded FromBase64String,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1140: Deobfuscate/Decode Files or Information,Encoded FromBase64String,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1140: Deobfuscate/Decode Files or Information,Encoded FromBase64String,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1140: Deobfuscate/Decode Files or Information,Encoded FromBase64String,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,Encoded FromBase64String,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,Encoded FromBase64String,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,Encoded FromBase64String,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Encoded FromBase64String,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Encoded FromBase64String,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Encoded FromBase64String,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,WMI Spawning Windows PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,TropicTrooper Campaign November 2018,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,TropicTrooper Campaign November 2018,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1085: Rundll32,TropicTrooper Campaign November 2018,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,TropicTrooper Campaign November 2018,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,TropicTrooper Campaign November 2018,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1085: Rundll32,TropicTrooper Campaign November 2018,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious Control Panel DLL Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious Control Panel DLL Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious Control Panel DLL Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Control Panel DLL Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Control Panel DLL Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Control Panel DLL Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious Control Panel DLL Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious Control Panel DLL Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Suspicious Control Panel DLL Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Control Panel DLL Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Control Panel DLL Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Control Panel DLL Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1053: Scheduled Task,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1086: PowerShell,Default PowerSploit and Empire Schtasks Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1081: Credentials in Files,Judgement Panda Credential Access Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1081: Credentials in Files,Judgement Panda Credential Access Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1081: Credentials in Files,Judgement Panda Credential Access Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Judgement Panda Credential Access Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Judgement Panda Credential Access Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Judgement Panda Credential Access Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1081: Credentials in Files,Judgement Panda Credential Access Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1081: Credentials in Files,Judgement Panda Credential Access Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1081: Credentials in Files,Judgement Panda Credential Access Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Judgement Panda Credential Access Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Judgement Panda Credential Access Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Judgement Panda Credential Access Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Defrag Deactivation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Defrag Deactivation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Defrag Deactivation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Defrag Deactivation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0065_4701_scheduled_task_was_disabled,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Defrag Deactivation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Defrag Deactivation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Defrag Deactivation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Defrag Deactivation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Defrag Deactivation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Defrag Deactivation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Defrag Deactivation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Defrag Deactivation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious SYSVOL Domain Group Policy Access,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1036: Masquerading,Exploit for CVE-2015-1641,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1036: Masquerading,Exploit for CVE-2015-1641,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1036: Masquerading,Exploit for CVE-2015-1641,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1036: Masquerading,Exploit for CVE-2015-1641,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1036: Masquerading,Exploit for CVE-2015-1641,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1036: Masquerading,Exploit for CVE-2015-1641,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1040: Network Sniffing,Network Sniffing,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1040: Network Sniffing,Network Sniffing,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1040: Network Sniffing,Network Sniffing,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1040: Network Sniffing,Network Sniffing,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1040: Network Sniffing,Network Sniffing,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1040: Network Sniffing,Network Sniffing,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1040: Network Sniffing,Network Sniffing,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1040: Network Sniffing,Network Sniffing,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1040: Network Sniffing,Network Sniffing,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1040: Network Sniffing,Network Sniffing,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1040: Network Sniffing,Network Sniffing,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1040: Network Sniffing,Network Sniffing,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1197: BITS Jobs,Bitsadmin Download,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1220: XSL Script Processing,XSL Script Processing,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1220: XSL Script Processing,XSL Script Processing,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1220: XSL Script Processing,XSL Script Processing,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1220: XSL Script Processing,XSL Script Processing,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1220: XSL Script Processing,XSL Script Processing,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1220: XSL Script Processing,XSL Script Processing,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
TESTCUSTOMER2;TESTCUSTOMER,TA0006: Credential Access,T1003: Credential Dumping,Cmdkey Cached Credentials Recon,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER2;TESTCUSTOMER,TA0006: Credential Access,T1003: Credential Dumping,Cmdkey Cached Credentials Recon,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
TESTCUSTOMER2;TESTCUSTOMER,TA0006: Credential Access,T1003: Credential Dumping,Cmdkey Cached Credentials Recon,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
TESTCUSTOMER2;TESTCUSTOMER,TA0006: Credential Access,T1003: Credential Dumping,Cmdkey Cached Credentials Recon,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER2;TESTCUSTOMER,TA0006: Credential Access,T1003: Credential Dumping,Cmdkey Cached Credentials Recon,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
TESTCUSTOMER2;TESTCUSTOMER,TA0006: Credential Access,T1003: Credential Dumping,Cmdkey Cached Credentials Recon,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Process Dump via Comsvcs DLL,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Parameter Substring,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Parameter Substring,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Parameter Substring,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Parameter Substring,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Parameter Substring,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Suspicious PowerShell Parameter Substring,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1033: System Owner/User Discovery,Whoami Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1197: BITS Jobs,Suspicious Bitsadmin Job via PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1197: BITS Jobs,Suspicious Bitsadmin Job via PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1197: BITS Jobs,Suspicious Bitsadmin Job via PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1197: BITS Jobs,Suspicious Bitsadmin Job via PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1197: BITS Jobs,Suspicious Bitsadmin Job via PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1197: BITS Jobs,Suspicious Bitsadmin Job via PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1197: BITS Jobs,Suspicious Bitsadmin Job via PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1197: BITS Jobs,Suspicious Bitsadmin Job via PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1197: BITS Jobs,Suspicious Bitsadmin Job via PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1197: BITS Jobs,Suspicious Bitsadmin Job via PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1197: BITS Jobs,Suspicious Bitsadmin Job via PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1197: BITS Jobs,Suspicious Bitsadmin Job via PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Windows Processes Suspicious Parent Directory,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Windows Processes Suspicious Parent Directory,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Windows Processes Suspicious Parent Directory,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Windows Processes Suspicious Parent Directory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Windows Processes Suspicious Parent Directory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Windows Processes Suspicious Parent Directory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1055: Process Injection,Renamed ZOHO Dctask64,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Process Start Locations,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1100: Web Shell,Execution in Webserver Root Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1100: Web Shell,Execution in Webserver Root Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1100: Web Shell,Execution in Webserver Root Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1100: Web Shell,Execution in Webserver Root Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1100: Web Shell,Execution in Webserver Root Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1100: Web Shell,Execution in Webserver Root Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Ps.exe Renamed SysInternals Tool,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Ps.exe Renamed SysInternals Tool,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Ps.exe Renamed SysInternals Tool,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Ps.exe Renamed SysInternals Tool,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Ps.exe Renamed SysInternals Tool,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Ps.exe Renamed SysInternals Tool,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Non Interactive PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Non Interactive PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Non Interactive PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Non Interactive PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Non Interactive PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Non Interactive PowerShell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Script Run in AppData,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Script Run in AppData,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Script Run in AppData,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Script Run in AppData,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Script Run in AppData,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Script Run in AppData,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0009: Collection,T1123: Audio Capture,Audio Capture via SoundRecorder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0009: Collection,T1123: Audio Capture,Audio Capture via SoundRecorder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0009: Collection,T1123: Audio Capture,Audio Capture via SoundRecorder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0009: Collection,T1123: Audio Capture,Audio Capture via SoundRecorder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0009: Collection,T1123: Audio Capture,Audio Capture via SoundRecorder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0009: Collection,T1123: Audio Capture,Audio Capture via SoundRecorder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1012: Query Registry,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1012: Query Registry,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1012: Query Registry,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1170: Mshta,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1170: Mshta,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1170: Mshta,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1059: Command-Line Interface,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1059: Command-Line Interface,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1059: Command-Line Interface,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1086: PowerShell,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1086: PowerShell,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1086: PowerShell,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1012: Query Registry,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1012: Query Registry,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1012: Query Registry,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1170: Mshta,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1170: Mshta,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1170: Mshta,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1012: Query Registry,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1012: Query Registry,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1012: Query Registry,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,Baby Shark Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1012: Query Registry,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1012: Query Registry,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1012: Query Registry,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1170: Mshta,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1170: Mshta,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1170: Mshta,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1059: Command-Line Interface,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1059: Command-Line Interface,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1059: Command-Line Interface,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1086: PowerShell,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1086: PowerShell,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1086: PowerShell,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1012: Query Registry,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1012: Query Registry,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1012: Query Registry,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1170: Mshta,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1170: Mshta,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1170: Mshta,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1012: Query Registry,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1012: Query Registry,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1012: Query Registry,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,Baby Shark Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,Fsutil Suspicious Invocation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1082: System Information Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1082: System Information Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1082: System Information Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1082: System Information Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1082: System Information Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1082: System Information Discovery,Reconnaissance Activity with Net Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Wsreset UAC Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Wsreset UAC Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Wsreset UAC Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1088: Bypass User Account Control,Wsreset UAC Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1088: Bypass User Account Control,Wsreset UAC Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1088: Bypass User Account Control,Wsreset UAC Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Wsreset UAC Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Wsreset UAC Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Wsreset UAC Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1088: Bypass User Account Control,Wsreset UAC Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1088: Bypass User Account Control,Wsreset UAC Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1088: Bypass User Account Control,Wsreset UAC Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1128: Netsh Helper DLL,Suspicious Netsh DLL Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1128: Netsh Helper DLL,Suspicious Netsh DLL Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1128: Netsh Helper DLL,Suspicious Netsh DLL Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1128: Netsh Helper DLL,Suspicious Netsh DLL Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1128: Netsh Helper DLL,Suspicious Netsh DLL Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1128: Netsh Helper DLL,Suspicious Netsh DLL Persistence,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Shadow Copies Access via Symlink,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Shadow Copies Access via Symlink,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Shadow Copies Access via Symlink,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Shadow Copies Access via Symlink,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Shadow Copies Access via Symlink,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Shadow Copies Access via Symlink,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1053: Scheduled Task,Scheduled Task Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Scheduled Task Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1053: Scheduled Task,Scheduled Task Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1100: Web Shell,Webshell Detection With Command Line Keywords,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Process Dump via Rundll32 and Comsvcs.dll,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Process Dump via Rundll32 and Comsvcs.dll,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Process Dump via Rundll32 and Comsvcs.dll,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1003: Credential Dumping,Process Dump via Rundll32 and Comsvcs.dll,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1003: Credential Dumping,Process Dump via Rundll32 and Comsvcs.dll,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1003: Credential Dumping,Process Dump via Rundll32 and Comsvcs.dll,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1036: Masquerading,Process Dump via Rundll32 and Comsvcs.dll,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1036: Masquerading,Process Dump via Rundll32 and Comsvcs.dll,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1036: Masquerading,Process Dump via Rundll32 and Comsvcs.dll,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Process Dump via Rundll32 and Comsvcs.dll,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Process Dump via Rundll32 and Comsvcs.dll,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Process Dump via Rundll32 and Comsvcs.dll,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Process Dump via Rundll32 and Comsvcs.dll,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Process Dump via Rundll32 and Comsvcs.dll,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Process Dump via Rundll32 and Comsvcs.dll,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1003: Credential Dumping,Process Dump via Rundll32 and Comsvcs.dll,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1003: Credential Dumping,Process Dump via Rundll32 and Comsvcs.dll,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1003: Credential Dumping,Process Dump via Rundll32 and Comsvcs.dll,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1036: Masquerading,Process Dump via Rundll32 and Comsvcs.dll,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1036: Masquerading,Process Dump via Rundll32 and Comsvcs.dll,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1036: Masquerading,Process Dump via Rundll32 and Comsvcs.dll,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Process Dump via Rundll32 and Comsvcs.dll,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Process Dump via Rundll32 and Comsvcs.dll,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Process Dump via Rundll32 and Comsvcs.dll,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1223: Compiled HTML File,HTML Help Shell Spawn,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1223: Compiled HTML File,HTML Help Shell Spawn,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1223: Compiled HTML File,HTML Help Shell Spawn,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1223: Compiled HTML File,HTML Help Shell Spawn,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1223: Compiled HTML File,HTML Help Shell Spawn,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1223: Compiled HTML File,HTML Help Shell Spawn,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1223: Compiled HTML File,HTML Help Shell Spawn,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1223: Compiled HTML File,HTML Help Shell Spawn,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1223: Compiled HTML File,HTML Help Shell Spawn,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1223: Compiled HTML File,HTML Help Shell Spawn,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1223: Compiled HTML File,HTML Help Shell Spawn,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1223: Compiled HTML File,HTML Help Shell Spawn,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Bypass UAC via WSReset.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Bypass UAC via WSReset.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Bypass UAC via WSReset.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Bypass UAC via WSReset.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Bypass UAC via WSReset.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Bypass UAC via WSReset.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0011: Command and Control,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0011: Command and Control,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0011: Command and Control,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0011: Command and Control,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0011: Command and Control,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0011: Command and Control,T1090: Connection Proxy,Netsh Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,DNS Exfiltration Tools Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,DNS Exfiltration Tools Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,DNS Exfiltration Tools Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,DNS Exfiltration Tools Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,DNS Exfiltration Tools Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,DNS Exfiltration Tools Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,DNS Exfiltration Tools Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,DNS Exfiltration Tools Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0010: Exfiltration,T1048: Exfiltration Over Alternative Protocol,DNS Exfiltration Tools Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1136: Create Account,Net.exe User Account Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1136: Create Account,Net.exe User Account Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1136: Create Account,Net.exe User Account Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1136: Create Account,Net.exe User Account Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1136: Create Account,Net.exe User Account Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1136: Create Account,Net.exe User Account Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1136: Create Account,Net.exe User Account Creation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1136: Create Account,Net.exe User Account Creation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1136: Create Account,Net.exe User Account Creation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1136: Create Account,Net.exe User Account Creation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1136: Create Account,Net.exe User Account Creation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1136: Create Account,Net.exe User Account Creation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1035: Service Execution,Service Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1035: Service Execution,Service Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1035: Service Execution,Service Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1035: Service Execution,Service Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1035: Service Execution,Service Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1035: Service Execution,Service Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1042: Change Default File Association,Change Default File Association,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1042: Change Default File Association,Change Default File Association,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1042: Change Default File Association,Change Default File Association,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1042: Change Default File Association,Change Default File Association,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1042: Change Default File Association,Change Default File Association,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1042: Change Default File Association,Change Default File Association,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1064: Scripting,WScript or CScript Dropper,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1055: Process Injection,ZOHO Dctask64 Process Injection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1055: Process Injection,ZOHO Dctask64 Process Injection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1055: Process Injection,ZOHO Dctask64 Process Injection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1055: Process Injection,ZOHO Dctask64 Process Injection,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1055: Process Injection,ZOHO Dctask64 Process Injection,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1055: Process Injection,ZOHO Dctask64 Process Injection,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1203: Exploitation for Client Execution,Exploit for CVE-2017-8759,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1203: Exploitation for Client Execution,Exploit for CVE-2017-8759,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1203: Exploitation for Client Execution,Exploit for CVE-2017-8759,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1203: Exploitation for Client Execution,Exploit for CVE-2017-8759,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1203: Exploitation for Client Execution,Exploit for CVE-2017-8759,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1203: Exploitation for Client Execution,Exploit for CVE-2017-8759,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Empire Monkey,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Microsoft Office Product Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,PowerShell Base64 Encoded Shellcode,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1033: System Owner/User Discovery,Local Accounts Discovery,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1033: System Owner/User Discovery,Local Accounts Discovery,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1033: System Owner/User Discovery,Local Accounts Discovery,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Local Accounts Discovery,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Local Accounts Discovery,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Local Accounts Discovery,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1033: System Owner/User Discovery,Local Accounts Discovery,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1033: System Owner/User Discovery,Local Accounts Discovery,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1033: System Owner/User Discovery,Local Accounts Discovery,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Local Accounts Discovery,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Local Accounts Discovery,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Local Accounts Discovery,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1117: Regsvr32,Regsvr32 Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1100: Web Shell,Shells Spawned by Web Servers,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1191: CMSTP,Bypass UAC via CMSTP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1191: CMSTP,Bypass UAC via CMSTP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1191: CMSTP,Bypass UAC via CMSTP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Bypass UAC via CMSTP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Bypass UAC via CMSTP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Bypass UAC via CMSTP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1191: CMSTP,Bypass UAC via CMSTP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1191: CMSTP,Bypass UAC via CMSTP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1191: CMSTP,Bypass UAC via CMSTP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1088: Bypass User Account Control,Bypass UAC via CMSTP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1088: Bypass User Account Control,Bypass UAC via CMSTP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1088: Bypass User Account Control,Bypass UAC via CMSTP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1191: CMSTP,Bypass UAC via CMSTP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1191: CMSTP,Bypass UAC via CMSTP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1191: CMSTP,Bypass UAC via CMSTP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Bypass UAC via CMSTP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Bypass UAC via CMSTP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Bypass UAC via CMSTP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1191: CMSTP,Bypass UAC via CMSTP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1191: CMSTP,Bypass UAC via CMSTP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1191: CMSTP,Bypass UAC via CMSTP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1088: Bypass User Account Control,Bypass UAC via CMSTP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1088: Bypass User Account Control,Bypass UAC via CMSTP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1088: Bypass User Account Control,Bypass UAC via CMSTP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1096: NTFS File Attributes,Run PowerShell Script from ADS,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1096: NTFS File Attributes,Run PowerShell Script from ADS,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1096: NTFS File Attributes,Run PowerShell Script from ADS,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1096: NTFS File Attributes,Run PowerShell Script from ADS,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1096: NTFS File Attributes,Run PowerShell Script from ADS,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1096: NTFS File Attributes,Run PowerShell Script from ADS,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0003: Persistence,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0005: Defense Evasion,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0005: Defense Evasion,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0064_4698_scheduled_task_was_created,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0003: Persistence,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0005: Defense Evasion,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0005: Defense Evasion,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Windows Log,System,Service Control Manager,DN_0005_7045_windows_service_insatalled,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0003: Persistence,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0005: Defense Evasion,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0005: Defense Evasion,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0003: Persistence,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0005: Defense Evasion,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0005: Defense Evasion,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0003: Persistence,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0005: Defense Evasion,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1053: Scheduled Task,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0041_windows_audit_other_object_access_events,,,-,title
None,TA0005: Defense Evasion,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1112: Modify Registry,Chafer Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,PowerShell Downgrade Attack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,PowerShell Downgrade Attack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,PowerShell Downgrade Attack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Downgrade Attack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Downgrade Attack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Downgrade Attack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,PowerShell Downgrade Attack,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,PowerShell Downgrade Attack,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,PowerShell Downgrade Attack,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Downgrade Attack,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Downgrade Attack,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Downgrade Attack,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Copy from Admin Share,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Copy from Admin Share,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Copy from Admin Share,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1105: Remote File Copy,Copy from Admin Share,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1105: Remote File Copy,Copy from Admin Share,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1105: Remote File Copy,Copy from Admin Share,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Copy from Admin Share,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Copy from Admin Share,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1077: Windows Admin Shares,Copy from Admin Share,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1105: Remote File Copy,Copy from Admin Share,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1105: Remote File Copy,Copy from Admin Share,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1105: Remote File Copy,Copy from Admin Share,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,LSASS Memory Dumping,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,LSASS Memory Dumping,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,LSASS Memory Dumping,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,LSASS Memory Dumping,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,LSASS Memory Dumping,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,LSASS Memory Dumping,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Calculator Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Calculator Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Calculator Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Calculator Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Calculator Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Calculator Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Call by Ordinal,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Call by Ordinal,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Call by Ordinal,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Suspicious Call by Ordinal,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Suspicious Call by Ordinal,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1085: Rundll32,Suspicious Call by Ordinal,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Call by Ordinal,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Call by Ordinal,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Call by Ordinal,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Suspicious Call by Ordinal,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Suspicious Call by Ordinal,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1085: Rundll32,Suspicious Call by Ordinal,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,Empire PowerShell UAC Bypass,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1036: Masquerading,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Suspicious Use of Procdump,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,System File Execution Location Anomaly,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Execution in Non-Executable Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1001_practice
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1001_practice
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1001_practice
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1001_practice
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1001_practice
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1001_practice
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0001: Initial Access,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0001: Initial Access,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0001: Initial Access,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0001: Initial Access,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0001: Initial Access,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0001: Initial Access,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0002: Execution,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1001_practice
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1001_practice
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1001_practice
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0002: Execution,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1001_practice
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1001_practice
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1001_practice
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0005: Defense Evasion,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0001: Initial Access,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0001: Initial Access,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0001: Initial Access,T1059: Command-Line Interface,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0001: Initial Access,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0001: Initial Access,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0001: Initial Access,T1202: Indirect Command Execution,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious HWP Sub Processes,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0002: Execution,T1086: PowerShell,APT29,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,APT29,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,APT29,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,APT29,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,APT29,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,APT29,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1223: Compiled HTML File,HH.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1223: Compiled HTML File,HH.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1223: Compiled HTML File,HH.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1223: Compiled HTML File,HH.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1223: Compiled HTML File,HH.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1223: Compiled HTML File,HH.exe Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1223: Compiled HTML File,HH.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1223: Compiled HTML File,HH.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1223: Compiled HTML File,HH.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1223: Compiled HTML File,HH.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1223: Compiled HTML File,HH.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1223: Compiled HTML File,HH.exe Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Rubeus Hack Tool,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Rubeus Hack Tool,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Rubeus Hack Tool,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Rubeus Hack Tool,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Rubeus Hack Tool,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Rubeus Hack Tool,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Unidentified Attacker November 2018,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0002: Execution,T1085: Rundll32,Unidentified Attacker November 2018,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Unidentified Attacker November 2018,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1085: Rundll32,Unidentified Attacker November 2018,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Unidentified Attacker November 2018,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0002: Execution,T1085: Rundll32,Unidentified Attacker November 2018,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Unidentified Attacker November 2018,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1085: Rundll32,Unidentified Attacker November 2018,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Unidentified Attacker November 2018,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0002: Execution,T1085: Rundll32,Unidentified Attacker November 2018,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Unidentified Attacker November 2018,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1085: Rundll32,Unidentified Attacker November 2018,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1100: Web Shell,IIS Native-Code Module Command Line Installation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0040: Impact,T1489: Service Stop,Stop Windows Service,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0040: Impact,T1489: Service Stop,Stop Windows Service,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0040: Impact,T1489: Service Stop,Stop Windows Service,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0040: Impact,T1489: Service Stop,Stop Windows Service,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0040: Impact,T1489: Service Stop,Stop Windows Service,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0040: Impact,T1489: Service Stop,Stop Windows Service,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1068: Exploitation for Privilege Escalation,Exploiting CVE-2019-1388,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Executables Started in Suspicious Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,Suspicious Eventlog Clear or Configuration Using Wevtutil,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,Suspicious Eventlog Clear or Configuration Using Wevtutil,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,Suspicious Eventlog Clear or Configuration Using Wevtutil,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,Suspicious Eventlog Clear or Configuration Using Wevtutil,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,Suspicious Eventlog Clear or Configuration Using Wevtutil,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,Suspicious Eventlog Clear or Configuration Using Wevtutil,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0010: Exfiltration,T1020: Automated Exfiltration,Exfiltration and Tunneling Tools Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0010: Exfiltration,T1020: Automated Exfiltration,Exfiltration and Tunneling Tools Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0010: Exfiltration,T1020: Automated Exfiltration,Exfiltration and Tunneling Tools Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0010: Exfiltration,T1020: Automated Exfiltration,Exfiltration and Tunneling Tools Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Droppers Exploiting CVE-2017-11882,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Droppers Exploiting CVE-2017-11882,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Droppers Exploiting CVE-2017-11882,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Droppers Exploiting CVE-2017-11882,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Droppers Exploiting CVE-2017-11882,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1211: Exploitation for Defense Evasion,Droppers Exploiting CVE-2017-11882,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Certutil Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Certutil Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Certutil Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1105: Remote File Copy,Suspicious Certutil Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1105: Remote File Copy,Suspicious Certutil Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1105: Remote File Copy,Suspicious Certutil Command,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Certutil Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Certutil Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Certutil Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1105: Remote File Copy,Suspicious Certutil Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1105: Remote File Copy,Suspicious Certutil Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1105: Remote File Copy,Suspicious Certutil Command,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1124: System Time Discovery,Discovery of a System Time,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1124: System Time Discovery,Discovery of a System Time,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1124: System Time Discovery,Discovery of a System Time,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1124: System Time Discovery,Discovery of a System Time,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1124: System Time Discovery,Discovery of a System Time,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1124: System Time Discovery,Discovery of a System Time,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1070: Indicator Removal on Host,Disable of ETW Trace,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1070: Indicator Removal on Host,Disable of ETW Trace,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1070: Indicator Removal on Host,Disable of ETW Trace,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1070: Indicator Removal on Host,Disable of ETW Trace,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1070: Indicator Removal on Host,Disable of ETW Trace,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1070: Indicator Removal on Host,Disable of ETW Trace,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell DownloadFile,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell DownloadFile,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell DownloadFile,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell DownloadFile,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell DownloadFile,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell DownloadFile,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Execution of Renamed PaExec,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Shadow Copies Creation Using Operating Systems Utilities,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Shadow Copies Creation Using Operating Systems Utilities,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1170: Mshta,Mshta JavaScript Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1170: Mshta,Mshta JavaScript Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1170: Mshta,Mshta JavaScript Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,Mshta JavaScript Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,Mshta JavaScript Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,Mshta JavaScript Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1170: Mshta,Mshta JavaScript Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1170: Mshta,Mshta JavaScript Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1170: Mshta,Mshta JavaScript Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,Mshta JavaScript Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,Mshta JavaScript Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,Mshta JavaScript Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Copying Sensitive Files with Credential Data,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Copying Sensitive Files with Credential Data,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Copying Sensitive Files with Credential Data,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Copying Sensitive Files with Credential Data,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Copying Sensitive Files with Credential Data,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Copying Sensitive Files with Credential Data,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1196: Control Panel Items,Control Panel Items,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1196: Control Panel Items,Control Panel Items,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1196: Control Panel Items,Control Panel Items,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1196: Control Panel Items,Control Panel Items,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1196: Control Panel Items,Control Panel Items,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1196: Control Panel Items,Control Panel Items,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1196: Control Panel Items,Control Panel Items,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1196: Control Panel Items,Control Panel Items,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1196: Control Panel Items,Control Panel Items,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1196: Control Panel Items,Control Panel Items,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1196: Control Panel Items,Control Panel Items,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1196: Control Panel Items,Control Panel Items,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1500: Compile After Delivery,Suspicious Csc.exe Source File Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1500: Compile After Delivery,Suspicious Csc.exe Source File Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1500: Compile After Delivery,Suspicious Csc.exe Source File Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1500: Compile After Delivery,Suspicious Csc.exe Source File Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1500: Compile After Delivery,Suspicious Csc.exe Source File Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1500: Compile After Delivery,Suspicious Csc.exe Source File Folder,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious Program Location Process Starts,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0011: Command and Control,T1219: Remote Access Tools,Suspicious TSCON Start,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER2;TESTCUSTOMER,TA0005: Defense Evasion,T1088: Bypass User Account Control,CMSTP UAC Bypass via COM Object Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER2;TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP UAC Bypass via COM Object Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER2;TESTCUSTOMER,TA0004: Privilege Escalation,T1088: Bypass User Account Control,CMSTP UAC Bypass via COM Object Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER2;TESTCUSTOMER,TA0004: Privilege Escalation,T1191: CMSTP,CMSTP UAC Bypass via COM Object Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER2;TESTCUSTOMER,TA0002: Execution,T1088: Bypass User Account Control,CMSTP UAC Bypass via COM Object Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER2;TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP UAC Bypass via COM Object Access,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1134: Access Token Manipulation,Possible Privilege Escalation via Weak Service Permissions,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Invocation of Active Directory Diagnostic Tool (ntdsutil.exe),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1050: New Service,New Service Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1050: New Service,New Service Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1050: New Service,New Service Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1050: New Service,New Service Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1050: New Service,New Service Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1050: New Service,New Service Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1050: New Service,New Service Creation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1050: New Service,New Service Creation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1050: New Service,New Service Creation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1050: New Service,New Service Creation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1050: New Service,New Service Creation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1050: New Service,New Service Creation,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Encoded IEX,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Encoded IEX,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Encoded IEX,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1140: Deobfuscate/Decode Files or Information,Encoded IEX,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1140: Deobfuscate/Decode Files or Information,Encoded IEX,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1140: Deobfuscate/Decode Files or Information,Encoded IEX,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Encoded IEX,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Encoded IEX,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Encoded IEX,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1140: Deobfuscate/Decode Files or Information,Encoded IEX,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1140: Deobfuscate/Decode Files or Information,Encoded IEX,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1140: Deobfuscate/Decode Files or Information,Encoded IEX,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Suspicious Commandline Escape,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
TESTCUSTOMER2;TESTCUSTOMER,TA0005: Defense Evasion,T1047: Windows Management Instrumentation,SquiblyTwo,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Equation Group DLL_U Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Equation Group DLL_U Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Equation Group DLL_U Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Equation Group DLL_U Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Equation Group DLL_U Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1085: Rundll32,Equation Group DLL_U Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Equation Group DLL_U Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Equation Group DLL_U Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Equation Group DLL_U Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Equation Group DLL_U Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Equation Group DLL_U Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Equation Group DLL_U Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Equation Group DLL_U Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Equation Group DLL_U Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Equation Group DLL_U Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Equation Group DLL_U Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Equation Group DLL_U Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1085: Rundll32,Equation Group DLL_U Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Equation Group DLL_U Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Equation Group DLL_U Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1059: Command-Line Interface,Equation Group DLL_U Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Equation Group DLL_U Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Equation Group DLL_U Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Equation Group DLL_U Load,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
TESTCUSTOMER,TA0004: Privilege Escalation,T1055: Process Injection,Exploit for CVE-2017-0261,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Suspicious Reconnaissance Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Suspicious Reconnaissance Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Suspicious Reconnaissance Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Suspicious Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Suspicious Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1087: Account Discovery,Suspicious Reconnaissance Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Backdoor Exchange Transport Agent,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Backdoor Exchange Transport Agent,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Backdoor Exchange Transport Agent,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Backdoor Exchange Transport Agent,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Backdoor Exchange Transport Agent,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Backdoor Exchange Transport Agent,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,Possible Ransomware or Unauthorized MBR Modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1070: Indicator Removal on Host,Possible Ransomware or Unauthorized MBR Modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1067: Bootkit,Possible Ransomware or Unauthorized MBR Modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1067: Bootkit,Possible Ransomware or Unauthorized MBR Modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1070: Indicator Removal on Host,Possible Ransomware or Unauthorized MBR Modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1070: Indicator Removal on Host,Possible Ransomware or Unauthorized MBR Modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1067: Bootkit,Possible Ransomware or Unauthorized MBR Modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1067: Bootkit,Possible Ransomware or Unauthorized MBR Modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1134: Access Token Manipulation,Detection of Possible Rotten Potato,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1134: Access Token Manipulation,Detection of Possible Rotten Potato,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,EN_0002_enrich_sysmon_event_id_1_with_parent_info,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0008: Lateral Movement,T1098: Account Manipulation,Judgement Panda Exfil Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1098: Account Manipulation,Judgement Panda Exfil Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1098: Account Manipulation,Judgement Panda Exfil Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1002: Data Compressed,Judgement Panda Exfil Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1002: Data Compressed,Judgement Panda Exfil Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1002: Data Compressed,Judgement Panda Exfil Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1098: Account Manipulation,Judgement Panda Exfil Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1098: Account Manipulation,Judgement Panda Exfil Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1098: Account Manipulation,Judgement Panda Exfil Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1002: Data Compressed,Judgement Panda Exfil Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1002: Data Compressed,Judgement Panda Exfil Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1002: Data Compressed,Judgement Panda Exfil Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0010: Exfiltration,T1098: Account Manipulation,Judgement Panda Exfil Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0010: Exfiltration,T1098: Account Manipulation,Judgement Panda Exfil Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0010: Exfiltration,T1098: Account Manipulation,Judgement Panda Exfil Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0010: Exfiltration,T1002: Data Compressed,Judgement Panda Exfil Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0010: Exfiltration,T1002: Data Compressed,Judgement Panda Exfil Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0010: Exfiltration,T1002: Data Compressed,Judgement Panda Exfil Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1098: Account Manipulation,Judgement Panda Exfil Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1098: Account Manipulation,Judgement Panda Exfil Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1098: Account Manipulation,Judgement Panda Exfil Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1002: Data Compressed,Judgement Panda Exfil Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1002: Data Compressed,Judgement Panda Exfil Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1002: Data Compressed,Judgement Panda Exfil Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1098: Account Manipulation,Judgement Panda Exfil Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1098: Account Manipulation,Judgement Panda Exfil Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1098: Account Manipulation,Judgement Panda Exfil Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1002: Data Compressed,Judgement Panda Exfil Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1002: Data Compressed,Judgement Panda Exfil Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0006: Credential Access,T1002: Data Compressed,Judgement Panda Exfil Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0010: Exfiltration,T1098: Account Manipulation,Judgement Panda Exfil Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0010: Exfiltration,T1098: Account Manipulation,Judgement Panda Exfil Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0010: Exfiltration,T1098: Account Manipulation,Judgement Panda Exfil Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0010: Exfiltration,T1002: Data Compressed,Judgement Panda Exfil Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0010: Exfiltration,T1002: Data Compressed,Judgement Panda Exfil Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0010: Exfiltration,T1002: Data Compressed,Judgement Panda Exfil Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Ping Hex IP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Ping Hex IP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Ping Hex IP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Ping Hex IP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Ping Hex IP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Ping Hex IP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Ping Hex IP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Ping Hex IP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1140: Deobfuscate/Decode Files or Information,Ping Hex IP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Ping Hex IP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Ping Hex IP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Ping Hex IP,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1134: Access Token Manipulation,Meterpreter or Cobalt Strike Getsystem Service Start,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1134: Access Token Manipulation,Meterpreter or Cobalt Strike Getsystem Service Start,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1134: Access Token Manipulation,Meterpreter or Cobalt Strike Getsystem Service Start,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1134: Access Token Manipulation,Meterpreter or Cobalt Strike Getsystem Service Start,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1134: Access Token Manipulation,Meterpreter or Cobalt Strike Getsystem Service Start,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1134: Access Token Manipulation,Meterpreter or Cobalt Strike Getsystem Service Start,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Taskmgr as Parent,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Taskmgr as Parent,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Taskmgr as Parent,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Taskmgr as Parent,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Taskmgr as Parent,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Taskmgr as Parent,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,Windows Shell Spawning Suspicious Program,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,Windows Shell Spawning Suspicious Program,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1040: Network Sniffing,Capture a Network Trace with netsh.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1040: Network Sniffing,Capture a Network Trace with netsh.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1040: Network Sniffing,Capture a Network Trace with netsh.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1040: Network Sniffing,Capture a Network Trace with netsh.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1040: Network Sniffing,Capture a Network Trace with netsh.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1040: Network Sniffing,Capture a Network Trace with netsh.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable Used by PlugX in Uncommon Location,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable Used by PlugX in Uncommon Location,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable Used by PlugX in Uncommon Location,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable Used by PlugX in Uncommon Location,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable Used by PlugX in Uncommon Location,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable Used by PlugX in Uncommon Location,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable Used by PlugX in Uncommon Location,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable Used by PlugX in Uncommon Location,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Executable Used by PlugX in Uncommon Location,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1170: Mshta,MSHTA Spawning Windows Shell,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,MSHTA Spwaned by SVCHOST,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,MSHTA Spwaned by SVCHOST,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,MSHTA Spwaned by SVCHOST,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1170: Mshta,MSHTA Spwaned by SVCHOST,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1170: Mshta,MSHTA Spwaned by SVCHOST,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1170: Mshta,MSHTA Spwaned by SVCHOST,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,MSHTA Spwaned by SVCHOST,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,MSHTA Spwaned by SVCHOST,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1170: Mshta,MSHTA Spwaned by SVCHOST,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1170: Mshta,MSHTA Spwaned by SVCHOST,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1170: Mshta,MSHTA Spwaned by SVCHOST,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1170: Mshta,MSHTA Spwaned by SVCHOST,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,CreateMiniDump Hacktool,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,CreateMiniDump Hacktool,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,CreateMiniDump Hacktool,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,CreateMiniDump Hacktool,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Command Line Execution with Suspicious URL and AppData Strings,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Command Line Execution with Suspicious URL and AppData Strings,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Command Line Execution with Suspicious URL and AppData Strings,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Command Line Execution with Suspicious URL and AppData Strings,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Command Line Execution with Suspicious URL and AppData Strings,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1059: Command-Line Interface,Command Line Execution with Suspicious URL and AppData Strings,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1064: Scripting,Adwind RAT / JRAT,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1222: File and Directory Permissions Modification,File or Folder Permissions Modifications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1222: File and Directory Permissions Modification,File or Folder Permissions Modifications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1222: File and Directory Permissions Modification,File or Folder Permissions Modifications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1222: File and Directory Permissions Modification,File or Folder Permissions Modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1222: File and Directory Permissions Modification,File or Folder Permissions Modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1222: File and Directory Permissions Modification,File or Folder Permissions Modifications,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1076: Remote Desktop Protocol,Suspicious RDP Redirect Using TSCON,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1482: Domain Trust Discovery,Domain Trust Discovery,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1482: Domain Trust Discovery,Domain Trust Discovery,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1482: Domain Trust Discovery,Domain Trust Discovery,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1482: Domain Trust Discovery,Domain Trust Discovery,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1482: Domain Trust Discovery,Domain Trust Discovery,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1482: Domain Trust Discovery,Domain Trust Discovery,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious MsiExec Directory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious MsiExec Directory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious MsiExec Directory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious MsiExec Directory,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious MsiExec Directory,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious MsiExec Directory,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious MsiExec Directory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious MsiExec Directory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Suspicious MsiExec Directory,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0001_4688_windows_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Suspicious Double Extension,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0007: Discovery,T1482: Domain Trust Discovery,Domain Trust Discovery,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1482: Domain Trust Discovery,Domain Trust Discovery,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1482: Domain Trust Discovery,Domain Trust Discovery,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1482: Domain Trust Discovery,Domain Trust Discovery,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1482: Domain Trust Discovery,Domain Trust Discovery,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1482: Domain Trust Discovery,Domain Trust Discovery,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Highly Relevant Renamed Binary,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1012: Query Registry,Query Registry,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1012: Query Registry,Query Registry,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1012: Query Registry,Query Registry,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1007: System Service Discovery,Query Registry,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1007: System Service Discovery,Query Registry,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1007: System Service Discovery,Query Registry,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1012: Query Registry,Query Registry,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1012: Query Registry,Query Registry,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1012: Query Registry,Query Registry,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0007: Discovery,T1007: System Service Discovery,Query Registry,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0007: Discovery,T1007: System Service Discovery,Query Registry,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0007: Discovery,T1007: System Service Discovery,Query Registry,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via DLL Loaded by odbcconf.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via DLL Loaded by odbcconf.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via DLL Loaded by odbcconf.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via DLL Loaded by odbcconf.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via DLL Loaded by odbcconf.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via DLL Loaded by odbcconf.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via DLL Loaded by odbcconf.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via DLL Loaded by odbcconf.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via DLL Loaded by odbcconf.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via DLL Loaded by odbcconf.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via DLL Loaded by odbcconf.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Application Whitelisting Bypass via DLL Loaded by odbcconf.exe,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Indirect Command Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Indirect Command Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Indirect Command Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Indirect Command Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Indirect Command Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1202: Indirect Command Execution,Indirect Command Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Remote PowerShell Session,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Remote PowerShell Session,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Remote PowerShell Session,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Remote PowerShell Session,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Remote PowerShell Session,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1086: PowerShell,Remote PowerShell Session,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Detection of PowerShell Execution via DLL,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Devtoolslauncher.exe Executes Specified Binary,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Devtoolslauncher.exe Executes Specified Binary,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Devtoolslauncher.exe Executes Specified Binary,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Devtoolslauncher.exe Executes Specified Binary,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Devtoolslauncher.exe Executes Specified Binary,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Devtoolslauncher.exe Executes Specified Binary,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Devtoolslauncher.exe Executes Specified Binary,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Devtoolslauncher.exe Executes Specified Binary,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1218: Signed Binary Proxy Execution,Devtoolslauncher.exe Executes Specified Binary,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Devtoolslauncher.exe Executes Specified Binary,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Devtoolslauncher.exe Executes Specified Binary,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1218: Signed Binary Proxy Execution,Devtoolslauncher.exe Executes Specified Binary,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1021: Remote Services,Netsh RDP Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1021: Remote Services,Netsh RDP Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1021: Remote Services,Netsh RDP Port Forwarding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1021: Remote Services,Netsh RDP Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1021: Remote Services,Netsh RDP Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1021: Remote Services,Netsh RDP Port Forwarding,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0001: Initial Access,T1190: Exploit Public-Facing Application,Exploited CVE-2020-10189 Zoho ManageEngine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0001: Initial Access,T1190: Exploit Public-Facing Application,Exploited CVE-2020-10189 Zoho ManageEngine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0001: Initial Access,T1190: Exploit Public-Facing Application,Exploited CVE-2020-10189 Zoho ManageEngine,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0001: Initial Access,T1190: Exploit Public-Facing Application,Exploited CVE-2020-10189 Zoho ManageEngine,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0001: Initial Access,T1190: Exploit Public-Facing Application,Exploited CVE-2020-10189 Zoho ManageEngine,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0001: Initial Access,T1190: Exploit Public-Facing Application,Exploited CVE-2020-10189 Zoho ManageEngine,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1064: Scripting,Suspicious RASdial Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0002: Execution,T1085: Rundll32,Suspicious Rundll32 Activity,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,,,-,title
None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,,,-,title
None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,-,,,-,title
None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0004: Privilege Escalation,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,-,,,-,title
None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1015: Accessibility Features,Sticky Key Like Backdoor Usage,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,-,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0001_windows_audit_process_creation,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,-,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0001_windows_audit_process_creation,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0007_windows_sysmon_ProcessAccess,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0007_windows_sysmon_ProcessAccess,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,-,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0007_windows_sysmon_ProcessAccess,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
TESTCUSTOMER,TA0005: Defense Evasion,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,-,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0007_windows_sysmon_ProcessAccess,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
TESTCUSTOMER,TA0002: Execution,T1191: CMSTP,CMSTP Execution,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1210: Exploitation of Remote Services,Suspicious Outbound RDP Connections,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0005: Defense Evasion,T1089: Disabling Security Tools,Disable Security Events Logging Adding Reg Key MiniNt,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0005: Defense Evasion,T1089: Disabling Security Tools,Disable Security Events Logging Adding Reg Key MiniNt,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0005: Defense Evasion,T1055: Process Injection,Malware Shellcode in Verclsid Target Process,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0004: Privilege Escalation,T1055: Process Injection,Malware Shellcode in Verclsid Target Process,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0004: Privilege Escalation,T1055: Process Injection,Suspicious In-Memory Module Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,PowerShell Rundll32 Remote Thread Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
None,TA0005: Defense Evasion,T1086: PowerShell,PowerShell Rundll32 Remote Thread Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
None,TA0002: Execution,T1085: Rundll32,PowerShell Rundll32 Remote Thread Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Rundll32 Remote Thread Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
None,TA0008: Lateral Movement,T1003: Credential Dumping,Mimikatz In-Memory,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz In-Memory,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0002: Execution,T1036: Masquerading,Renamed jusched.exe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Kerberos DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0006: Credential Access,T1003: Credential Dumping,Detection of SafetyKatz,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0003: Persistence,T1103: AppInit DLLs,New DLL Added to AppInit_DLLs Registry Key,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0003: Persistence,T1103: AppInit DLLs,New DLL Added to AppInit_DLLs Registry Key,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0003: Persistence,T1103: AppInit DLLs,New DLL Added to AppInit_DLLs Registry Key,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0002: Execution,T1086: PowerShell,Alternate PowerShell Hosts Pipe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Renamed ProcDump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Renamed ProcDump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Renamed ProcDump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0005: Defense Evasion,T1036: Masquerading,Renamed ProcDump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Windows Credential Editor,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Windows Credential Editor,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Windows Credential Editor,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Windows Credential Editor,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,Suspicious Scripting in a WMI Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0005: Defense Evasion,T1089: Disabling Security Tools,Suspect Svchost Memory Asccess,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,CLR DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0004: Privilege Escalation,T1183: Image File Execution Options Injection,Registry Persistence Mechanisms,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0003: Persistence,T1183: Image File Execution Options Injection,Registry Persistence Mechanisms,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0005: Defense Evasion,T1183: Image File Execution Options Injection,Registry Persistence Mechanisms,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0011: Command and Control,T1043: Commonly Used Port,Possible DNS Rebinding,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0003: Persistence,T1038: DLL Search Order Hijacking,Windows Registry Persistence COM Search Order Hijacking,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Network Connections,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0005: Defense Evasion,T1055: Process Injection,CobaltStrike Process Injection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
None,TA0008: Lateral Movement,T1105: Remote File Copy,Pandemic Registry Key,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0003: Persistence,T1050: New Service,Suspicious Driver Load from Temp,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,-,,,-,title
None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0003: Persistence,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0008: Lateral Movement,T1037: Logon Scripts,Logon Scripts (UserInitMprLogonScript),OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1089: Disabling Security Tools,Suspicious Service Installed,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Persistence - Command Line Event Consumer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Password Dumper Remote Thread in LSASS,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Cred Dump-Tools Named Pipes,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0005: Defense Evasion,T1089: Disabling Security Tools,Suspicious PROCEXP152.sys File Created In TMP,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0003: Persistence,T1060: Registry Run Keys / Startup Folder,Narrator's Feedback-Hub Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0003: Persistence,T1060: Registry Run Keys / Startup Folder,Narrator's Feedback-Hub Persistence,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Active Directory Parsing DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,dotNET DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0006_windows_sysmon_image_loaded,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0003_windows_sysmon_process_creation,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0006_windows_sysmon_image_loaded,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0003_windows_sysmon_process_creation,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0006_windows_sysmon_image_loaded,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0003_windows_sysmon_process_creation,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0006_windows_sysmon_image_loaded,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0003_windows_sysmon_process_creation,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0006_windows_sysmon_image_loaded,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0003_windows_sysmon_process_creation,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0006_windows_sysmon_image_loaded,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0006_windows_sysmon_image_loaded,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0003_windows_sysmon_process_creation,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0003_windows_sysmon_process_creation,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0006_windows_sysmon_image_loaded,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0006_windows_sysmon_image_loaded,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0003_windows_sysmon_process_creation,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0006_windows_sysmon_image_loaded,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0006_windows_sysmon_image_loaded,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0002: Execution,T1086: PowerShell,In-memory PowerShell,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0003_windows_sysmon_process_creation,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,VBA DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0002: Execution,T1117: Regsvr32,Regsvr32 Network Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0002: Execution,T1117: Regsvr32,Regsvr32 Network Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0005: Defense Evasion,T1117: Regsvr32,Regsvr32 Network Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0005: Defense Evasion,T1117: Regsvr32,Regsvr32 Network Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0002: Execution,T1117: Regsvr32,Regsvr32 Network Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0002: Execution,T1117: Regsvr32,Regsvr32 Network Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0005: Defense Evasion,T1117: Regsvr32,Regsvr32 Network Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0005: Defense Evasion,T1117: Regsvr32,Regsvr32 Network Activity,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,LSASS Memory Dump,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0002: Execution,T1086: PowerShell,Remote PowerShell Session,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0010_6_windows_sysmon_driver_loaded,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0008_4_windows_sysmon_sysmon_service_state_changed,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0085_22_windows_sysmon_DnsQuery,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0011_windows_sysmon_DnsQuery,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumpert Process Dumper,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,-,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0002_windows_audit_process_creation_with_commandline,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DNS ServerLevelPluginDll Install,OS Logs,Windows,Windows Log,Security,Microsoft-Windows-Security-Auditing,DN_0002_4688_windows_process_creation_with_commandline,LP_0001_windows_audit_process_creation,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,Suspicious File Characteristics Due to Missing Fields,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,Suspicious File Characteristics Due to Missing Fields,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,Suspicious File Characteristics Due to Missing Fields,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0002: Execution,T1064: Scripting,Suspicious File Characteristics Due to Missing Fields,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,Suspicious File Characteristics Due to Missing Fields,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0005: Defense Evasion,T1064: Scripting,Suspicious File Characteristics Due to Missing Fields,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0002: Execution,T1064: Scripting,Suspicious File Characteristics Due to Missing Fields,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0002: Execution,T1064: Scripting,Suspicious File Characteristics Due to Missing Fields,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1027: Obfuscated Files or Information,Executable in ADS,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,-,,,-,title
None,TA0003: Persistence,T1023: Shortcut Modification,Suspicious desktop.ini Action,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,QuarksPwDump Dump File,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0005: Defense Evasion,T1088: Bypass User Account Control,UAC Bypass via Sdclt,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,UAC Bypass via Sdclt,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0005: Defense Evasion,T1006: File System Logical Offsets,Raw Disk Access Using Illegitimate Tools,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,-,,,-,title
None,TA0002: Execution,T1055: Process Injection,CACTUSTORCH Remote Thread Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
None,TA0002: Execution,T1064: Scripting,CACTUSTORCH Remote Thread Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
None,TA0008: Lateral Movement,T1105: Remote File Copy,Microsoft Binary Suspicious Communication Endpoint,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Cred Dump Tools Dropped Files,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0008: Lateral Movement,T1105: Remote File Copy,Microsoft Binary Github Communication,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0011: Command and Control,T1043: Commonly Used Port,Suspicious Typical Malware Back Connect Ports,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,GAC DLL Loaded Via Office Applications,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Event Subscription,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0023_20_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Event Subscription,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0024_21_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Event Subscription,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0022_19_windows_sysmon_WmiEvent,LP_0010_windows_sysmon_WmiEvent,,,-,title
None,TA0003: Persistence,T1060: Registry Run Keys / Startup Folder,Autorun Keys Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0003: Persistence,T1084: Windows Management Instrumentation Event Subscription,WMI Persistence - Script Event Consumer File Write,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0005: Defense Evasion,T1085: Rundll32,Rundll32 Internet Connection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0002: Execution,T1085: Rundll32,Rundll32 Internet Connection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0003: Persistence,T1073: DLL Side-Loading,Svchost DLL Search Order Hijack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0003: Persistence,T1038: DLL Search Order Hijacking,Svchost DLL Search Order Hijack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0003: Persistence,T1112: Modify Registry,Svchost DLL Search Order Hijack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Svchost DLL Search Order Hijack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0005: Defense Evasion,T1038: DLL Search Order Hijacking,Svchost DLL Search Order Hijack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0005: Defense Evasion,T1112: Modify Registry,Svchost DLL Search Order Hijack,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0005: Defense Evasion,T1055: Process Injection,Malicious Named Pipe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0004: Privilege Escalation,T1055: Process Injection,Malicious Named Pipe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0005: Defense Evasion,T1055: Process Injection,Malicious Named Pipe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0004: Privilege Escalation,T1055: Process Injection,Malicious Named Pipe,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0009_windows_sysmon_PipeEvent,,,-,title
None,TA0002: Execution,T1086: PowerShell,PowerShell Execution,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0005: Defense Evasion,T1055: Process Injection,CreateRemoteThread API and LoadLibrary,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
None,TA0003: Persistence,T1122: Component Object Model Hijacking,Windows Registry Persistence COM Key Linking,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Credentials Dumping Tools Accessing LSASS Memory,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0003: Persistence,T1060: Registry Run Keys / Startup Folder,Registry Persistence via Explorer Run Key,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0002: Execution,T1086: PowerShell,Alternate PowerShell Hosts Module Load,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0002: Execution,T1047: Windows Management Instrumentation,Windows Mangement Instrumentation DLL Loaded Via Microsoft Word,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,Possible Process Hollowing Image Loading,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Unsigned Image Loaded Into LSASS Process,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0003: Persistence,T1060: Registry Run Keys / Startup Folder,Suspicious RUN Key from Download,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0004: Privilege Escalation,T1055: Process Injection,Suspicious Remote Thread Created,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0012_8_windows_sysmon_CreateRemoteThread,-,,,-,title
None,TA0002: Execution,T1177: LSASS Driver,DLL Load via LSASS,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0002: Execution,T1177: LSASS Driver,DLL Load via LSASS,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0005: Defense Evasion,T1112: Modify Registry,RDP Registry Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0003: Persistence,T1100: Web Shell,Windows Webshell Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0002: Execution,T1086: PowerShell,Malicious PowerShell Commandlet Names,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0002: Execution,T1047: Windows Management Instrumentation,WMI Modules Loaded,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0005: Defense Evasion,T1076: Remote Desktop Protocol,RDP Over Reverse SSH Tunnel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0011: Command and Control,T1076: Remote Desktop Protocol,RDP Over Reverse SSH Tunnel,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_1001_practice
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_1002_take_trainings
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_1004_make_personnel_report_suspicious_activity
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_1003_raise_personnel_awareness
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_1101_access_external_network_flow_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_1104_access_external_http_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_1106_access_external_dns_logs
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_1111_get_ability_to_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_1113_get_ability_to_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_1115_get_ability_to_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_1201_get_ability_to_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_1202_get_ability_to_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_1203_get_ability_to_block_email_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_1204_get_ability_to_block_email_sender
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_1205_get_ability_to_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_1206_get_ability_to_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_2003_put_compromised_accounts_on_monitoring
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_2113_list_hosts_communicated_with_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_2114_list_hosts_communicated_with_external_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_2115_list_hosts_communicated_with_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_2201_list_users_opened_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_2202_collect_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_2203_list_email_message_receivers
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_2204_make_sure_email_message_is_phishing
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_2205_extract_observables_from_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_3101_block_external_ip_address
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_3103_block_external_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_3105_block_external_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_3201_block_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_3202_block_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_3203_quarantine_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_4001_report_incident_to_external_companies
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_4201_delete_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_5101_unblock_blocked_ip
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_5102_unblock_blocked_domain
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_5103_unblock_blocked_url
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_5201_unblock_domain_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_5202_unblock_sender_on_email
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_5203_restore_quarantined_email_message
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_6001_develop_incident_report
None,TA0001: Initial Access,T1193: Spearphishing Attachment,Windows Registry Trust Record Modification,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,RP_0001_phishing_email,RA_6002_conduct_lessons_learned_exercise
None,TA0005: Defense Evasion,T1088: Bypass User Account Control,UAC Bypass via Event Viewer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0005: Defense Evasion,T1088: Bypass User Account Control,UAC Bypass via Event Viewer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,UAC Bypass via Event Viewer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,UAC Bypass via Event Viewer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0005: Defense Evasion,T1088: Bypass User Account Control,UAC Bypass via Event Viewer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,,,-,title
None,TA0005: Defense Evasion,T1088: Bypass User Account Control,UAC Bypass via Event Viewer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,UAC Bypass via Event Viewer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,,,-,title
None,TA0004: Privilege Escalation,T1088: Bypass User Account Control,UAC Bypass via Event Viewer,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Dumping Lsass.exe Memory with MiniDumpWriteDump API,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0006_windows_sysmon_image_loaded,,,-,title
None,TA0003: Persistence,T1182: AppCert DLLs,New DLL Added to AppCertDlls Registry Key,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0003: Persistence,T1182: AppCert DLLs,New DLL Added to AppCertDlls Registry Key,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0003: Persistence,T1182: AppCert DLLs,New DLL Added to AppCertDlls Registry Key,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0003: Persistence,T1011: Exfiltration Over Other Network Medium,Security Support Provider (SSP) Added to LSA Configuration,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0003: Persistence,T1060: Registry Run Keys / Startup Folder,New RUN Key Pointing to Suspicious Folder,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,-,,,-,title
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0003_1_windows_sysmon_process_creation,LP_0003_windows_sysmon_process_creation,,,-,title
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,-,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0003_windows_sysmon_process_creation,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,-,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0009_5_windows_sysmon_process_terminated,LP_0003_windows_sysmon_process_creation,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,-,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0003_windows_sysmon_process_creation,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,-,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0019_15_windows_sysmon_FileCreateStreamHash,LP_0003_windows_sysmon_process_creation,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,-,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0013_9_windows_sysmon_RawAccessRead,LP_0003_windows_sysmon_process_creation,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,-,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0006_2_windows_sysmon_process_changed_a_file_creation_time,LP_0003_windows_sysmon_process_creation,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,-,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0011_7_windows_sysmon_image_loaded,LP_0003_windows_sysmon_process_creation,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,-,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0016_12_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,-,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0021_18_windows_sysmon_PipeEvent,LP_0003_windows_sysmon_process_creation,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,-,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0018_14_windows_sysmon_RegistryEvent,LP_0003_windows_sysmon_process_creation,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,-,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0004: Privilege Escalation,T1058: Service Registry Permissions Weakness,Possible Privilege Escalation via Service Permissions Weakness,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0020_17_windows_sysmon_PipeEvent,LP_0003_windows_sysmon_process_creation,EN_0003_enrich_other_sysmon_events_with_event_id_1_data,EN_0001_cache_sysmon_event_id_1_info,-,-
None,TA0003: Persistence,T1041: Exfiltration Over Command and Control Channel,Suspicious ADSI-Cache Usage By Unknown Tool,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,LSASS Memory Dump File Creation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0015_11_windows_sysmon_FileCreate,LP_0008_windows_sysmon_FileCreate,,,-,title
None,TA0005: Defense Evasion,T1073: DLL Side-Loading,DHCP Callout DLL Installation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0005: Defense Evasion,T1112: Modify Registry,DHCP Callout DLL Installation,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0017_13_windows_sysmon_RegistryEvent,-,,,-,title
None,TA0008: Lateral Movement,T1208: Kerberoasting,Suspicious Outbound Kerberos Connection,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0007_3_windows_sysmon_network_connection,LP_0005_windows_sysmon_network_connection,,,-,title
None,TA0006: Credential Access,T1003: Credential Dumping,Mimikatz through Windows Remote Management,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0006: Credential Access,T1028: Windows Remote Management,Mimikatz through Windows Remote Management,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0002: Execution,T1003: Credential Dumping,Mimikatz through Windows Remote Management,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title
None,TA0002: Execution,T1028: Windows Remote Management,Mimikatz through Windows Remote Management,OS Logs,Windows,Applications and Services Logs,Microsoft-Windows-Sysmon/Operational,Microsoft-Windows-Sysmon,DN_0014_10_windows_sysmon_ProcessAccess,LP_0007_windows_sysmon_ProcessAccess,,,-,title