2_ds_beyondtrust_beyondinsight.md

Use-Case	Activity Types/Parsers	MITRE ATT&CK® TTP	Content
Compromised Credentials	app-activity ↳beyondtrust-bi-cef-app-activity-success-approve ↳beyondtrust-bi-cef-app-activity-success-appauditdelete ↳beyondtrust-bi-cef-app-activity-success-appauditadd ↳beyondtrust-bi-leef-app-activity-success-system ↳beyondtrust-bi-leef-app-activity-success-passwordexpired ↳beyondtrust-bi-leef-app-activity-success-managedaccount ↳beyondtrust-bi-leef-app-activity-success-releasepasswordreset ↳beyondtrust-bi-leef-app-activity-success-thesystem ↳beyondtrust-bi-leef-app-activity-success-mismatch ↳beyondtrust-bi-leef-app-activity-success-updated ↳beyondtrust-bi-leef-app-activity-success-managed ↳beyondtrust-bi-leef-app-activity-success-turnedoff ↳beyondtrust-bi-leef-app-activity-success-passwordreset ↳beyondtrust-bi-leef-app-activity-success-passwordchange ↳beyondtrust-bi-json-app-activity-success-deny ↳beyondtrust-bi-json-app-activity-success-approve ↳beyondtrust-bi-json-app-activity-success-cancel ↳beyondtrust-bi-json-app-activity-success-update ↳beyondtrust-bi-json-app-activity-success-expire app-login ↳beyondtrust-passwordsafe-json-app-login-success-applogin ↳beyondtrust-passwordsafe-json-app-login-success-beyondinsight ↳beyondtrust-bi-leef-app-login-success-login ↳beyondtrust-bi-leef-app-login-success-pmmlogin ↳beyondtrust-bi-cef-app-login-success-login database-login ↳beyondtrust-passwordsafe-json-app-activity-success-read ↳beyondtrust-passwordsafe-json-user-password-reset-success-passwordreset ↳beyondtrust-passwordsafe-json-app-logout-success-logout failed-app-login ↳beyondtrust-passwordsafe-json-app-login-fail-loginfailure ↳beyondtrust-bi-leef-app-login-fail-loginfailure ↳beyondtrust-bi-leef-app-login-fail-failedtologon ↳beyondtrust-bi-leef-app-login-fail-connectfailure process-created ↳beyondtrust-powerbroker-json-process-create-success-28692 ↳beyondtrust-powerbroker-str-process-create-success-messageforwarded	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1036.004 - T1036.004 T1040 - Network Sniffing T1059.001 - Command and Scripting Interperter: PowerShell T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1213 - Data from Information Repositories T1218.011 - Signed Binary Proxy Execution: Rundll32 T1555 - Credentials from Password Stores TA0002 - TA0002	89 Rules 37 Models
Data Access	app-activity ↳beyondtrust-bi-cef-app-activity-success-approve ↳beyondtrust-bi-cef-app-activity-success-appauditdelete ↳beyondtrust-bi-cef-app-activity-success-appauditadd ↳beyondtrust-bi-leef-app-activity-success-system ↳beyondtrust-bi-leef-app-activity-success-passwordexpired ↳beyondtrust-bi-leef-app-activity-success-managedaccount ↳beyondtrust-bi-leef-app-activity-success-releasepasswordreset ↳beyondtrust-bi-leef-app-activity-success-thesystem ↳beyondtrust-bi-leef-app-activity-success-mismatch ↳beyondtrust-bi-leef-app-activity-success-updated ↳beyondtrust-bi-leef-app-activity-success-managed ↳beyondtrust-bi-leef-app-activity-success-turnedoff ↳beyondtrust-bi-leef-app-activity-success-passwordreset ↳beyondtrust-bi-leef-app-activity-success-passwordchange ↳beyondtrust-bi-json-app-activity-success-deny ↳beyondtrust-bi-json-app-activity-success-approve ↳beyondtrust-bi-json-app-activity-success-cancel ↳beyondtrust-bi-json-app-activity-success-update ↳beyondtrust-bi-json-app-activity-success-expire app-login ↳beyondtrust-passwordsafe-json-app-login-success-applogin ↳beyondtrust-passwordsafe-json-app-login-success-beyondinsight ↳beyondtrust-bi-leef-app-login-success-login ↳beyondtrust-bi-leef-app-login-success-pmmlogin ↳beyondtrust-bi-cef-app-login-success-login database-login ↳beyondtrust-passwordsafe-json-app-activity-success-read ↳beyondtrust-passwordsafe-json-user-password-reset-success-passwordreset ↳beyondtrust-passwordsafe-json-app-logout-success-logout failed-app-login ↳beyondtrust-passwordsafe-json-app-login-fail-loginfailure ↳beyondtrust-bi-leef-app-login-fail-loginfailure ↳beyondtrust-bi-leef-app-login-fail-failedtologon ↳beyondtrust-bi-leef-app-login-fail-connectfailure process-created ↳beyondtrust-powerbroker-json-process-create-success-28692 ↳beyondtrust-powerbroker-str-process-create-success-messageforwarded	T1003 - OS Credential Dumping T1078 - Valid Accounts T1213 - Data from Information Repositories	34 Rules 18 Models
Data Leak	app-activity ↳beyondtrust-bi-cef-app-activity-success-approve ↳beyondtrust-bi-cef-app-activity-success-appauditdelete ↳beyondtrust-bi-cef-app-activity-success-appauditadd ↳beyondtrust-bi-leef-app-activity-success-system ↳beyondtrust-bi-leef-app-activity-success-passwordexpired ↳beyondtrust-bi-leef-app-activity-success-managedaccount ↳beyondtrust-bi-leef-app-activity-success-releasepasswordreset ↳beyondtrust-bi-leef-app-activity-success-thesystem ↳beyondtrust-bi-leef-app-activity-success-mismatch ↳beyondtrust-bi-leef-app-activity-success-updated ↳beyondtrust-bi-leef-app-activity-success-managed ↳beyondtrust-bi-leef-app-activity-success-turnedoff ↳beyondtrust-bi-leef-app-activity-success-passwordreset ↳beyondtrust-bi-leef-app-activity-success-passwordchange ↳beyondtrust-bi-json-app-activity-success-deny ↳beyondtrust-bi-json-app-activity-success-approve ↳beyondtrust-bi-json-app-activity-success-cancel ↳beyondtrust-bi-json-app-activity-success-update ↳beyondtrust-bi-json-app-activity-success-expire	T1114.003 - Email Collection: Email Forwarding Rule	3 Rules
Lateral Movement	app-activity ↳beyondtrust-bi-cef-app-activity-success-approve ↳beyondtrust-bi-cef-app-activity-success-appauditdelete ↳beyondtrust-bi-cef-app-activity-success-appauditadd ↳beyondtrust-bi-leef-app-activity-success-system ↳beyondtrust-bi-leef-app-activity-success-passwordexpired ↳beyondtrust-bi-leef-app-activity-success-managedaccount ↳beyondtrust-bi-leef-app-activity-success-releasepasswordreset ↳beyondtrust-bi-leef-app-activity-success-thesystem ↳beyondtrust-bi-leef-app-activity-success-mismatch ↳beyondtrust-bi-leef-app-activity-success-updated ↳beyondtrust-bi-leef-app-activity-success-managed ↳beyondtrust-bi-leef-app-activity-success-turnedoff ↳beyondtrust-bi-leef-app-activity-success-passwordreset ↳beyondtrust-bi-leef-app-activity-success-passwordchange ↳beyondtrust-bi-json-app-activity-success-deny ↳beyondtrust-bi-json-app-activity-success-approve ↳beyondtrust-bi-json-app-activity-success-cancel ↳beyondtrust-bi-json-app-activity-success-update ↳beyondtrust-bi-json-app-activity-success-expire app-login ↳beyondtrust-passwordsafe-json-app-login-success-applogin ↳beyondtrust-passwordsafe-json-app-login-success-beyondinsight ↳beyondtrust-bi-leef-app-login-success-login ↳beyondtrust-bi-leef-app-login-success-pmmlogin ↳beyondtrust-bi-cef-app-login-success-login failed-app-login ↳beyondtrust-passwordsafe-json-app-login-fail-loginfailure ↳beyondtrust-bi-leef-app-login-fail-loginfailure ↳beyondtrust-bi-leef-app-login-fail-failedtologon ↳beyondtrust-bi-leef-app-login-fail-connectfailure process-created ↳beyondtrust-powerbroker-json-process-create-success-28692 ↳beyondtrust-powerbroker-str-process-create-success-messageforwarded	T1021.001 - Remote Services: Remote Desktop Protocol T1021.003 - T1021.003 T1021.006 - T1021.006 T1047 - Windows Management Instrumentation T1059.001 - Command and Scripting Interperter: PowerShell T1078 - Valid Accounts T1090 - Proxy T1090.003 - Proxy: Multi-hop Proxy T1210 - Exploitation of Remote Services T1219 - Remote Access Software T1563.002 - T1563.002	24 Rules 1 Models
Malware	account-switch ↳beyondtrust-bi-json-user-privilege-use-switch-success-retrieve app-activity ↳beyondtrust-bi-cef-app-activity-success-approve ↳beyondtrust-bi-cef-app-activity-success-appauditdelete ↳beyondtrust-bi-cef-app-activity-success-appauditadd ↳beyondtrust-bi-leef-app-activity-success-system ↳beyondtrust-bi-leef-app-activity-success-passwordexpired ↳beyondtrust-bi-leef-app-activity-success-managedaccount ↳beyondtrust-bi-leef-app-activity-success-releasepasswordreset ↳beyondtrust-bi-leef-app-activity-success-thesystem ↳beyondtrust-bi-leef-app-activity-success-mismatch ↳beyondtrust-bi-leef-app-activity-success-updated ↳beyondtrust-bi-leef-app-activity-success-managed ↳beyondtrust-bi-leef-app-activity-success-turnedoff ↳beyondtrust-bi-leef-app-activity-success-passwordreset ↳beyondtrust-bi-leef-app-activity-success-passwordchange ↳beyondtrust-bi-json-app-activity-success-deny ↳beyondtrust-bi-json-app-activity-success-approve ↳beyondtrust-bi-json-app-activity-success-cancel ↳beyondtrust-bi-json-app-activity-success-update ↳beyondtrust-bi-json-app-activity-success-expire app-login ↳beyondtrust-passwordsafe-json-app-login-success-applogin ↳beyondtrust-passwordsafe-json-app-login-success-beyondinsight ↳beyondtrust-bi-leef-app-login-success-login ↳beyondtrust-bi-leef-app-login-success-pmmlogin ↳beyondtrust-bi-cef-app-login-success-login failed-app-login ↳beyondtrust-passwordsafe-json-app-login-fail-loginfailure ↳beyondtrust-bi-leef-app-login-fail-loginfailure ↳beyondtrust-bi-leef-app-login-fail-failedtologon ↳beyondtrust-bi-leef-app-login-fail-connectfailure privileged-access ↳beyondtrust-powerbroker-kv-user-privilege-use-success-elevation ↳beyondtrust-bi-json-user-privilege-use-switch-success-retrieve process-created ↳beyondtrust-powerbroker-json-process-create-success-28692 ↳beyondtrust-powerbroker-str-process-create-success-messageforwarded	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.003 - T1053.003 T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1190 - Exploit Public Fasing Application T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1562.004 - Impair Defenses: Disable or Modify System Firewall T1563.002 - T1563.002 T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002	162 Rules 26 Models
Privilege Abuse	account-creation ↳beyondtrust-bi-cef-user-create-success-add ↳beyondtrust-bi-json-user-create-success-add account-deleted ↳beyondtrust-bi-json-user-delete-success-delete account-switch ↳beyondtrust-bi-json-user-privilege-use-switch-success-retrieve app-activity ↳beyondtrust-bi-cef-app-activity-success-approve ↳beyondtrust-bi-cef-app-activity-success-appauditdelete ↳beyondtrust-bi-cef-app-activity-success-appauditadd ↳beyondtrust-bi-leef-app-activity-success-system ↳beyondtrust-bi-leef-app-activity-success-passwordexpired ↳beyondtrust-bi-leef-app-activity-success-managedaccount ↳beyondtrust-bi-leef-app-activity-success-releasepasswordreset ↳beyondtrust-bi-leef-app-activity-success-thesystem ↳beyondtrust-bi-leef-app-activity-success-mismatch ↳beyondtrust-bi-leef-app-activity-success-updated ↳beyondtrust-bi-leef-app-activity-success-managed ↳beyondtrust-bi-leef-app-activity-success-turnedoff ↳beyondtrust-bi-leef-app-activity-success-passwordreset ↳beyondtrust-bi-leef-app-activity-success-passwordchange ↳beyondtrust-bi-json-app-activity-success-deny ↳beyondtrust-bi-json-app-activity-success-approve ↳beyondtrust-bi-json-app-activity-success-cancel ↳beyondtrust-bi-json-app-activity-success-update ↳beyondtrust-bi-json-app-activity-success-expire app-login ↳beyondtrust-passwordsafe-json-app-login-success-applogin ↳beyondtrust-passwordsafe-json-app-login-success-beyondinsight ↳beyondtrust-bi-leef-app-login-success-login ↳beyondtrust-bi-leef-app-login-success-pmmlogin ↳beyondtrust-bi-cef-app-login-success-login failed-app-login ↳beyondtrust-passwordsafe-json-app-login-fail-loginfailure ↳beyondtrust-bi-leef-app-login-fail-loginfailure ↳beyondtrust-bi-leef-app-login-fail-failedtologon ↳beyondtrust-bi-leef-app-login-fail-connectfailure privileged-access ↳beyondtrust-powerbroker-kv-user-privilege-use-success-elevation ↳beyondtrust-bi-json-user-privilege-use-switch-success-retrieve process-created ↳beyondtrust-powerbroker-json-process-create-success-28692 ↳beyondtrust-powerbroker-str-process-create-success-messageforwarded	T1047 - Windows Management Instrumentation T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1136.002 - T1136.002 T1531 - Account Access Removal	51 Rules 27 Models
Privilege Escalation	account-switch ↳beyondtrust-bi-json-user-privilege-use-switch-success-retrieve app-activity ↳beyondtrust-bi-cef-app-activity-success-approve ↳beyondtrust-bi-cef-app-activity-success-appauditdelete ↳beyondtrust-bi-cef-app-activity-success-appauditadd ↳beyondtrust-bi-leef-app-activity-success-system ↳beyondtrust-bi-leef-app-activity-success-passwordexpired ↳beyondtrust-bi-leef-app-activity-success-managedaccount ↳beyondtrust-bi-leef-app-activity-success-releasepasswordreset ↳beyondtrust-bi-leef-app-activity-success-thesystem ↳beyondtrust-bi-leef-app-activity-success-mismatch ↳beyondtrust-bi-leef-app-activity-success-updated ↳beyondtrust-bi-leef-app-activity-success-managed ↳beyondtrust-bi-leef-app-activity-success-turnedoff ↳beyondtrust-bi-leef-app-activity-success-passwordreset ↳beyondtrust-bi-leef-app-activity-success-passwordchange ↳beyondtrust-bi-json-app-activity-success-deny ↳beyondtrust-bi-json-app-activity-success-approve ↳beyondtrust-bi-json-app-activity-success-cancel ↳beyondtrust-bi-json-app-activity-success-update ↳beyondtrust-bi-json-app-activity-success-expire process-created ↳beyondtrust-powerbroker-json-process-create-success-28692 ↳beyondtrust-powerbroker-str-process-create-success-messageforwarded	T1003 - OS Credential Dumping T1007 - System Service Discovery T1012 - Query Registry T1016 - System Network Configuration Discovery T1018 - Remote System Discovery T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1033 - System Owner/User Discovery T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1049 - System Network Connections Discovery T1053.002 - Scheduled Task/Job: At (Windows) T1053.005 - Scheduled Task/Job: Scheduled Task T1057 - Process Discovery T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1068 - Exploitation for Privilege Escalation T1078 - Valid Accounts T1082 - System Information Discovery T1087 - Account Discovery T1087.001 - Account Discovery: Local Account T1087.002 - Account Discovery: Domain Account T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.003 - Signed Binary Proxy Execution: CMSTP T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification T1482 - Domain Trust Discovery T1484.001 - T1484.001 T1518.001 - T1518.001 T1543.003 - Create or Modify System Process: Windows Service T1547.002 - T1547.002 T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control T1552.006 - T1552.006 T1555.005 - T1555.005 T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.011 - T1574.011	58 Rules 13 Models
Privileged Activity	account-switch ↳beyondtrust-bi-json-user-privilege-use-switch-success-retrieve app-activity ↳beyondtrust-bi-cef-app-activity-success-approve ↳beyondtrust-bi-cef-app-activity-success-appauditdelete ↳beyondtrust-bi-cef-app-activity-success-appauditadd ↳beyondtrust-bi-leef-app-activity-success-system ↳beyondtrust-bi-leef-app-activity-success-passwordexpired ↳beyondtrust-bi-leef-app-activity-success-managedaccount ↳beyondtrust-bi-leef-app-activity-success-releasepasswordreset ↳beyondtrust-bi-leef-app-activity-success-thesystem ↳beyondtrust-bi-leef-app-activity-success-mismatch ↳beyondtrust-bi-leef-app-activity-success-updated ↳beyondtrust-bi-leef-app-activity-success-managed ↳beyondtrust-bi-leef-app-activity-success-turnedoff ↳beyondtrust-bi-leef-app-activity-success-passwordreset ↳beyondtrust-bi-leef-app-activity-success-passwordchange ↳beyondtrust-bi-json-app-activity-success-deny ↳beyondtrust-bi-json-app-activity-success-approve ↳beyondtrust-bi-json-app-activity-success-cancel ↳beyondtrust-bi-json-app-activity-success-update ↳beyondtrust-bi-json-app-activity-success-expire app-login ↳beyondtrust-passwordsafe-json-app-login-success-applogin ↳beyondtrust-passwordsafe-json-app-login-success-beyondinsight ↳beyondtrust-bi-leef-app-login-success-login ↳beyondtrust-bi-leef-app-login-success-pmmlogin ↳beyondtrust-bi-cef-app-login-success-login failed-app-login ↳beyondtrust-passwordsafe-json-app-login-fail-loginfailure ↳beyondtrust-bi-leef-app-login-fail-loginfailure ↳beyondtrust-bi-leef-app-login-fail-failedtologon ↳beyondtrust-bi-leef-app-login-fail-connectfailure privileged-access ↳beyondtrust-powerbroker-kv-user-privilege-use-success-elevation ↳beyondtrust-bi-json-user-privilege-use-switch-success-retrieve process-created ↳beyondtrust-powerbroker-json-process-create-success-28692 ↳beyondtrust-powerbroker-str-process-create-success-messageforwarded	T1059.003 - T1059.003 T1078 - Valid Accounts T1482 - Domain Trust Discovery TA0002 - TA0002	16 Rules 9 Models
Ransomware	app-activity ↳beyondtrust-bi-cef-app-activity-success-approve ↳beyondtrust-bi-cef-app-activity-success-appauditdelete ↳beyondtrust-bi-cef-app-activity-success-appauditadd ↳beyondtrust-bi-leef-app-activity-success-system ↳beyondtrust-bi-leef-app-activity-success-passwordexpired ↳beyondtrust-bi-leef-app-activity-success-managedaccount ↳beyondtrust-bi-leef-app-activity-success-releasepasswordreset ↳beyondtrust-bi-leef-app-activity-success-thesystem ↳beyondtrust-bi-leef-app-activity-success-mismatch ↳beyondtrust-bi-leef-app-activity-success-updated ↳beyondtrust-bi-leef-app-activity-success-managed ↳beyondtrust-bi-leef-app-activity-success-turnedoff ↳beyondtrust-bi-leef-app-activity-success-passwordreset ↳beyondtrust-bi-leef-app-activity-success-passwordchange ↳beyondtrust-bi-json-app-activity-success-deny ↳beyondtrust-bi-json-app-activity-success-approve ↳beyondtrust-bi-json-app-activity-success-cancel ↳beyondtrust-bi-json-app-activity-success-update ↳beyondtrust-bi-json-app-activity-success-expire app-login ↳beyondtrust-passwordsafe-json-app-login-success-applogin ↳beyondtrust-passwordsafe-json-app-login-success-beyondinsight ↳beyondtrust-bi-leef-app-login-success-login ↳beyondtrust-bi-leef-app-login-success-pmmlogin ↳beyondtrust-bi-cef-app-login-success-login failed-app-login ↳beyondtrust-passwordsafe-json-app-login-fail-loginfailure ↳beyondtrust-bi-leef-app-login-fail-loginfailure ↳beyondtrust-bi-leef-app-login-fail-failedtologon ↳beyondtrust-bi-leef-app-login-fail-connectfailure process-created ↳beyondtrust-powerbroker-json-process-create-success-28692 ↳beyondtrust-powerbroker-str-process-create-success-messageforwarded	T1003.001 - T1003.001 T1059.003 - T1059.003 T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1078 - Valid Accounts T1218.011 - Signed Binary Proxy Execution: Rundll32 T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification T1486 - Data Encrypted for Impact T1490 - Inhibit System Recovery	5 Rules