diff --git a/sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx b/sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
new file mode 100755
index 00000000..015795a0
Binary files /dev/null and b/sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx differ
diff --git a/sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx b/sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
new file mode 100755
index 00000000..cce1347c
Binary files /dev/null and b/sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx differ
diff --git a/sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx b/sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx
new file mode 100755
index 00000000..2a9f86b8
Binary files /dev/null and b/sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx differ
diff --git a/sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx b/sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx
new file mode 100755
index 00000000..5e7ce922
Binary files /dev/null and b/sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx differ
diff --git a/sample-evtx/DeepBlueCLI/eventlog-dac.evtx b/sample-evtx/DeepBlueCLI/eventlog-dac.evtx
new file mode 100755
index 00000000..d6b125b7
Binary files /dev/null and b/sample-evtx/DeepBlueCLI/eventlog-dac.evtx differ
diff --git a/sample-evtx/DeepBlueCLI/many-events-application.evtx b/sample-evtx/DeepBlueCLI/many-events-application.evtx
new file mode 100755
index 00000000..86ad5124
Binary files /dev/null and b/sample-evtx/DeepBlueCLI/many-events-application.evtx differ
diff --git a/sample-evtx/DeepBlueCLI/many-events-security.evtx b/sample-evtx/DeepBlueCLI/many-events-security.evtx
new file mode 100755
index 00000000..2d897ae2
Binary files /dev/null and b/sample-evtx/DeepBlueCLI/many-events-security.evtx differ
diff --git a/sample-evtx/DeepBlueCLI/many-events-system.evtx b/sample-evtx/DeepBlueCLI/many-events-system.evtx
new file mode 100755
index 00000000..ce615a9c
Binary files /dev/null and b/sample-evtx/DeepBlueCLI/many-events-system.evtx differ
diff --git a/sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx b/sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx
new file mode 100755
index 00000000..d7433d03
Binary files /dev/null and b/sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx differ
diff --git a/sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx b/sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx
new file mode 100755
index 00000000..de3aa6e6
Binary files /dev/null and b/sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx differ
diff --git a/sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx b/sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx
new file mode 100755
index 00000000..033aebcc
Binary files /dev/null and b/sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx differ
diff --git a/sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx b/sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx
new file mode 100755
index 00000000..7411e439
Binary files /dev/null and b/sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx differ
diff --git a/sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx b/sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx
new file mode 100755
index 00000000..bfc44dc9
Binary files /dev/null and b/sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx differ
diff --git a/sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx b/sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
new file mode 100755
index 00000000..f82f01d1
Binary files /dev/null and b/sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx differ
diff --git a/sample-evtx/DeepBlueCLI/mimikatz-privilegedebug-tokenelevate-hashdump.evtx b/sample-evtx/DeepBlueCLI/mimikatz-privilegedebug-tokenelevate-hashdump.evtx
new file mode 100755
index 00000000..7f6132c3
Binary files /dev/null and b/sample-evtx/DeepBlueCLI/mimikatz-privilegedebug-tokenelevate-hashdump.evtx differ
diff --git a/sample-evtx/DeepBlueCLI/new-user-security.evtx b/sample-evtx/DeepBlueCLI/new-user-security.evtx
new file mode 100755
index 00000000..ae8553af
Binary files /dev/null and b/sample-evtx/DeepBlueCLI/new-user-security.evtx differ
diff --git a/sample-evtx/DeepBlueCLI/password-spray.evtx b/sample-evtx/DeepBlueCLI/password-spray.evtx
new file mode 100755
index 00000000..ca892949
Binary files /dev/null and b/sample-evtx/DeepBlueCLI/password-spray.evtx differ
diff --git a/sample-evtx/DeepBlueCLI/powersploit-security.evtx b/sample-evtx/DeepBlueCLI/powersploit-security.evtx
new file mode 100755
index 00000000..b32df5b1
Binary files /dev/null and b/sample-evtx/DeepBlueCLI/powersploit-security.evtx differ
diff --git a/sample-evtx/DeepBlueCLI/powersploit-system.evtx b/sample-evtx/DeepBlueCLI/powersploit-system.evtx
new file mode 100755
index 00000000..6d23da8e
Binary files /dev/null and b/sample-evtx/DeepBlueCLI/powersploit-system.evtx differ
diff --git a/sample-evtx/DeepBlueCLI/psattack-security.evtx b/sample-evtx/DeepBlueCLI/psattack-security.evtx
new file mode 100755
index 00000000..6e7a7119
Binary files /dev/null and b/sample-evtx/DeepBlueCLI/psattack-security.evtx differ
diff --git a/sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx b/sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
new file mode 100755
index 00000000..e7ad9b84
Binary files /dev/null and b/sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
new file mode 100644
index 00000000..6469958c
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
new file mode 100644
index 00000000..e69bcc77
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx
new file mode 100644
index 00000000..653a07f5
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
new file mode 100644
index 00000000..2a2386d3
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
new file mode 100644
index 00000000..13dd580d
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
new file mode 100644
index 00000000..aaa1de12
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
new file mode 100644
index 00000000..8b9e5477
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
new file mode 100644
index 00000000..7b4f6cc6
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
new file mode 100644
index 00000000..1248e090
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
new file mode 100644
index 00000000..8743adbd
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_TerminalServices-RemoteConnectionManagerOperational_1149.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_TerminalServices-RemoteConnectionManagerOperational_1149.evtx
new file mode 100644
index 00000000..e58abe47
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_TerminalServices-RemoteConnectionManagerOperational_1149.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
new file mode 100644
index 00000000..ff1072cc
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
new file mode 100644
index 00000000..b7ac92ab
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
new file mode 100644
index 00000000..ad8ecc64
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/4794_DSRM_password_change_t1098.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/4794_DSRM_password_change_t1098.evtx
new file mode 100644
index 00000000..4ba78cfc
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/4794_DSRM_password_change_t1098.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ACL_ForcePwd_SPNAdd_User_Computer_Accounts.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ACL_ForcePwd_SPNAdd_User_Computer_Accounts.evtx
new file mode 100644
index 00000000..21ceb7c3
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ACL_ForcePwd_SPNAdd_User_Computer_Accounts.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_4624_4625_LogonType2_LogonProc_chrome.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_4624_4625_LogonType2_LogonProc_chrome.evtx
new file mode 100644
index 00000000..a95f5ade
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_4624_4625_LogonType2_LogonProc_chrome.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx
new file mode 100644
index 00000000..b1fc4b67
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_DCSync_4662.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_Mimikatz_Memssp_Default_Logs_Sysmon_11.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_Mimikatz_Memssp_Default_Logs_Sysmon_11.evtx
new file mode 100644
index 00000000..f327cae9
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_Mimikatz_Memssp_Default_Logs_Sysmon_11.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx
new file mode 100644
index 00000000..845235a5
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_chrome_firefox_opera_4663.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_chrome_firefox_opera_4663.evtx
new file mode 100644
index 00000000..bf375305
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_chrome_firefox_opera_4663.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx
new file mode 100644
index 00000000..5520f1bb
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx
new file mode 100644
index 00000000..309648eb
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx
new file mode 100644
index 00000000..ceb623d5
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_protectedstorage_5145_rpc_masterkey.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_protectedstorage_5145_rpc_masterkey.evtx
new file mode 100644
index 00000000..b72404ea
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_protectedstorage_5145_rpc_masterkey.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
new file mode 100644
index 00000000..fb13e884
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_teamviewer-dumper_sysmon_10.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_teamviewer-dumper_sysmon_10.evtx
new file mode 100644
index 00000000..8556e32d
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_teamviewer-dumper_sysmon_10.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/LsassSilentProcessExit_process_exit_monitor_3001_lsass.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/LsassSilentProcessExit_process_exit_monitor_3001_lsass.evtx
new file mode 100644
index 00000000..c01afcba
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/LsassSilentProcessExit_process_exit_monitor_3001_lsass.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/MSSQL_multiple_failed_logon_EventID_18456.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/MSSQL_multiple_failed_logon_EventID_18456.evtx
new file mode 100644
index 00000000..bfb8fb2f
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/MSSQL_multiple_failed_logon_EventID_18456.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx
new file mode 100644
index 00000000..230d0d1b
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Powershell_4104_MiniDumpWriteDump_Lsass.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon13_MachineAccount_Password_Hash_Changed_via_LsarSetSecret.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon13_MachineAccount_Password_Hash_Changed_via_LsarSetSecret.evtx
new file mode 100644
index 00000000..8f235845
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon13_MachineAccount_Password_Hash_Changed_via_LsarSetSecret.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon_13_Local_Admin_Password_Changed.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon_13_Local_Admin_Password_Changed.evtx
new file mode 100644
index 00000000..b54c10c8
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Sysmon_13_Local_Admin_Password_Changed.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_CVE-2020-1472_DFIR_System_NetLogon_Error_EventID_5805.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_CVE-2020-1472_DFIR_System_NetLogon_Error_EventID_5805.evtx
new file mode 100644
index 00000000..898c4f1c
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_CVE-2020-1472_DFIR_System_NetLogon_Error_EventID_5805.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx
new file mode 100644
index 00000000..65822951
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
new file mode 100644
index 00000000..6930c1df
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/dc_applog_ntdsutil_dfir_325_326_327.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/dc_applog_ntdsutil_dfir_325_326_327.evtx
new file mode 100644
index 00000000..dfe2f040
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/dc_applog_ntdsutil_dfir_325_326_327.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
new file mode 100644
index 00000000..11e6d6e6
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/etw_rpc_zerologon.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/etw_rpc_zerologon.evtx
new file mode 100644
index 00000000..18eba666
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/etw_rpc_zerologon.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
new file mode 100644
index 00000000..631e2c5b
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx
new file mode 100644
index 00000000..5f9d3916
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/phish_windows_credentials_powershell_scriptblockLog_4104.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
new file mode 100644
index 00000000..4ed4f27f
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx
new file mode 100644
index 00000000..db9a9fcd
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon17_18_kekeo_tsssp_default_np.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon17_18_kekeo_tsssp_default_np.evtx
new file mode 100644
index 00000000..f7d0e4d0
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon17_18_kekeo_tsssp_default_np.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
new file mode 100644
index 00000000..bff9065a
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
new file mode 100644
index 00000000..7933addf
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
new file mode 100644
index 00000000..e4061a2c
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx
new file mode 100644
index 00000000..acd53bab
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_13_keylogger_directx.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_13_keylogger_directx.evtx
new file mode 100644
index 00000000..5e4eeba5
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_13_keylogger_directx.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
new file mode 100644
index 00000000..d2670a62
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
new file mode 100644
index 00000000..37a4a918
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
new file mode 100644
index 00000000..92790c0d
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_104_system_log_cleared.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_104_system_log_cleared.evtx
new file mode 100644
index 00000000..841ebfb2
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_104_system_log_cleared.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_1102_security_log_cleared.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_1102_security_log_cleared.evtx
new file mode 100644
index 00000000..78a6e192
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_1102_security_log_cleared.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
new file mode 100644
index 00000000..37f40f86
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx
new file mode 100644
index 00000000..9faeef17
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx
new file mode 100644
index 00000000..16d8131d
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_KernelDebug_and_TestSigning_ON_Security_4826.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_KernelDebug_and_TestSigning_ON_Security_4826.evtx
new file mode 100644
index 00000000..7ad2e941
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_KernelDebug_and_TestSigning_ON_Security_4826.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Powershell_CLM_Disabled_Sysmon_12.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Powershell_CLM_Disabled_Sysmon_12.evtx
new file mode 100644
index 00000000..f3824f6b
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Powershell_CLM_Disabled_Sysmon_12.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx
new file mode 100644
index 00000000..3badbcce
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx
new file mode 100644
index 00000000..0e1752b0
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_WinEventLogSvc_Crash_System_7036.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_WinEventLogSvc_Crash_System_7036.evtx
new file mode 100644
index 00000000..bc8714a5
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_WinEventLogSvc_Crash_System_7036.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
new file mode 100644
index 00000000..18b2f571
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx
new file mode 100644
index 00000000..13a36bc4
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_renamed_psexec_service_sysmon_17_18.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
new file mode 100644
index 00000000..0bcf59b3
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_xp_cmdshell_enabled_MSSQL_EID_15457.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_xp_cmdshell_enabled_MSSQL_EID_15457.evtx
new file mode 100644
index 00000000..5155d6ad
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_xp_cmdshell_enabled_MSSQL_EID_15457.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx
new file mode 100644
index 00000000..4333c9b9
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
new file mode 100644
index 00000000..41faa43d
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
new file mode 100644
index 00000000..e930e0fd
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx
new file mode 100644
index 00000000..7b87b7cf
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_12_DE_AntiForensics_MRU_DeleteKey.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_12_DE_AntiForensics_MRU_DeleteKey.evtx
new file mode 100644
index 00000000..801f8661
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_12_DE_AntiForensics_MRU_DeleteKey.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Win_4985_T1186_Process_Doppelganging.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Win_4985_T1186_Process_Doppelganging.evtx
new file mode 100644
index 00000000..0f84163c
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Win_4985_T1186_Process_Doppelganging.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
new file mode 100644
index 00000000..4996e732
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_PsScriptBlockLogging_disabled_sysmon12_13.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_PsScriptBlockLogging_disabled_sysmon12_13.evtx
new file mode 100644
index 00000000..f328a559
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_PsScriptBlockLogging_disabled_sysmon12_13.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_hiding_files_via_attrib_cmdlet.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_hiding_files_via_attrib_cmdlet.evtx
new file mode 100644
index 00000000..72ba8156
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_hiding_files_via_attrib_cmdlet.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx
new file mode 100644
index 00000000..2febe9e6
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_powershell_execpolicy_changed_sysmon_13.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_powershell_execpolicy_changed_sysmon_13.evtx
new file mode 100644
index 00000000..e3e316be
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_powershell_execpolicy_changed_sysmon_13.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_sysmon_13_VBA_Security_AccessVBOM.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_sysmon_13_VBA_Security_AccessVBOM.evtx
new file mode 100644
index 00000000..da8aee77
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_sysmon_13_VBA_Security_AccessVBOM.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
new file mode 100644
index 00000000..7b28dd1e
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
new file mode 100644
index 00000000..7307ccc8
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx
new file mode 100644
index 00000000..9a411ab0
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
new file mode 100644
index 00000000..699f7cb9
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/meterpreter_migrate_to_explorer_sysmon_8.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/meterpreter_migrate_to_explorer_sysmon_8.evtx
new file mode 100644
index 00000000..bd16e7b1
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/meterpreter_migrate_to_explorer_sysmon_8.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/process_suspend_sysmon_10_ga_800.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/process_suspend_sysmon_10_ga_800.evtx
new file mode 100644
index 00000000..a2d8d0fd
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/process_suspend_sysmon_10_ga_800.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
new file mode 100644
index 00000000..9d387c3e
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx
new file mode 100644
index 00000000..70c8b9c6
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
new file mode 100644
index 00000000..14f391a0
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_2_11_evasion_timestomp_MACE.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_2_11_evasion_timestomp_MACE.evtx
new file mode 100644
index 00000000..466f021b
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_2_11_evasion_timestomp_MACE.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx
new file mode 100644
index 00000000..1a52be5b
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/Discovery_Remote_System_NamedPipes_Sysmon_18.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
new file mode 100644
index 00000000..a22c64ee
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_UEFI_Settings_rweverything_sysmon_6.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_UEFI_Settings_rweverything_sysmon_6.evtx
new file mode 100644
index 00000000..d8dcea32
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_UEFI_Settings_rweverything_sysmon_6.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_bloodhound.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_bloodhound.evtx
new file mode 100644
index 00000000..578d89be
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_bloodhound.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_enum_shares_target_sysmon_3_18.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_enum_shares_target_sysmon_3_18.evtx
new file mode 100644
index 00000000..8dcee07a
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_enum_shares_target_sysmon_3_18.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_local_user_or_group_windows_security_4799_4798.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_local_user_or_group_windows_security_4799_4798.evtx
new file mode 100644
index 00000000..d57af951
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_local_user_or_group_windows_security_4799_4798.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
new file mode 100644
index 00000000..b810604c
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_psloggedon.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_psloggedon.evtx
new file mode 100644
index 00000000..5707c53e
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_psloggedon.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_18_Invoke_UserHunter_NetSessionEnum_DC-srvsvc.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_18_Invoke_UserHunter_NetSessionEnum_DC-srvsvc.evtx
new file mode 100644
index 00000000..ef803dce
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_18_Invoke_UserHunter_NetSessionEnum_DC-srvsvc.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
new file mode 100644
index 00000000..0326abe9
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
new file mode 100644
index 00000000..3b0cb126
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_via_cpl_Application_Experience_EventID_17_ControlPanelApplet.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_via_cpl_Application_Experience_EventID_17_ControlPanelApplet.evtx
new file mode 100644
index 00000000..6b7f289e
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_via_cpl_Application_Experience_EventID_17_ControlPanelApplet.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
new file mode 100644
index 00000000..b3c9d973
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
new file mode 100644
index 00000000..51732f54
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/evasion_execution_imageload_wuauclt_lolbas.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/evasion_execution_imageload_wuauclt_lolbas.evtx
new file mode 100644
index 00000000..17ec1183
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/evasion_execution_imageload_wuauclt_lolbas.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_driveby_cve-2018-15982_sysmon_1_10.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_driveby_cve-2018-15982_sysmon_1_10.evtx
new file mode 100644
index 00000000..6ad46c37
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_driveby_cve-2018-15982_sysmon_1_10.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx
new file mode 100644
index 00000000..1d1bc7d1
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
new file mode 100644
index 00000000..df1b0560
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
new file mode 100644
index 00000000..128173e2
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
new file mode 100644
index 00000000..e5485261
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx
new file mode 100644
index 00000000..e7d57a67
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx
new file mode 100644
index 00000000..2157760c
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx
new file mode 100644
index 00000000..afcdb6dc
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx
new file mode 100644
index 00000000..d995ec91
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_renamed_regsvr32_scrobj.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_renamed_regsvr32_scrobj.evtx
new file mode 100644
index 00000000..5f769a86
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_renamed_regsvr32_scrobj.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx
new file mode 100644
index 00000000..9a348504
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx
new file mode 100644
index 00000000..309bcd9f
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx
new file mode 100644
index 00000000..c824fddf
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
new file mode 100644
index 00000000..a9c533b0
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
new file mode 100644
index 00000000..92fba371
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx
new file mode 100644
index 00000000..7f1ae2f6
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/rogue_msi_url_1040_1042.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/rogue_msi_url_1040_1042.evtx
new file mode 100644
index 00000000..e5ee01d8
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/rogue_msi_url_1040_1042.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
new file mode 100644
index 00000000..fbfe43d2
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
new file mode 100644
index 00000000..6de71380
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx
new file mode 100644
index 00000000..78d42e91
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
new file mode 100644
index 00000000..b87951a4
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
new file mode 100644
index 00000000..971fb1e8
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
new file mode 100644
index 00000000..7ca1845d
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
new file mode 100644
index 00000000..c3a27161
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx
new file mode 100644
index 00000000..5ae5a556
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
new file mode 100644
index 00000000..7391ef7e
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
new file mode 100644
index 00000000..90b5df73
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/temp_scheduled_task_4698_4699.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/temp_scheduled_task_4698_4699.evtx
new file mode 100644
index 00000000..9fc179fe
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/temp_scheduled_task_4698_4699.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/windows_bits_4_59_60_lolbas desktopimgdownldr.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/windows_bits_4_59_60_lolbas desktopimgdownldr.evtx
new file mode 100644
index 00000000..2c2db114
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Execution/windows_bits_4_59_60_lolbas desktopimgdownldr.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/DFIR_RDP_Client_TimeZone_RdpCoreTs_104_example.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/DFIR_RDP_Client_TimeZone_RdpCoreTs_104_example.evtx
new file mode 100644
index 00000000..637443cd
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/DFIR_RDP_Client_TimeZone_RdpCoreTs_104_example.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
new file mode 100644
index 00000000..def2fad1
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx
new file mode 100644
index 00000000..3cf2a8ba
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
new file mode 100644
index 00000000..7e4da59a
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx
new file mode 100644
index 00000000..0d346b53
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ImageLoad_NFSH_Sysmon_7.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ImageLoad_NFSH_Sysmon_7.evtx
new file mode 100644
index 00000000..a0fe87ff
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ImageLoad_NFSH_Sysmon_7.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_NewShare_Added_Sysmon_12_13.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_NewShare_Added_Sysmon_12_13.evtx
new file mode 100644
index 00000000..801f6c49
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_NewShare_Added_Sysmon_12_13.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx
new file mode 100644
index 00000000..ec9defca
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
new file mode 100644
index 00000000..cdd4c4fd
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service01_5145_svcctl.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service01_5145_svcctl.evtx
new file mode 100644
index 00000000..fc7e3b53
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service01_5145_svcctl.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx
new file mode 100644
index 00000000..defba62c
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_Remote_Service02_7045.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
new file mode 100644
index 00000000..43c10aff
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
new file mode 100644
index 00000000..8dd1423a
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx
new file mode 100644
index 00000000..de0c7ba0
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_add_new_namedpipe_tp_nullsession_registry_turla_like_ttp.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_add_new_namedpipe_tp_nullsession_registry_turla_like_ttp.evtx
new file mode 100644
index 00000000..23d883e5
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_add_new_namedpipe_tp_nullsession_registry_turla_like_ttp.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_dcom_shwnd_shbrwnd_mmc20_failed_traces_system_10016.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_dcom_shwnd_shbrwnd_mmc20_failed_traces_system_10016.evtx
new file mode 100644
index 00000000..aeb71458
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_dcom_shwnd_shbrwnd_mmc20_failed_traces_system_10016.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
new file mode 100644
index 00000000..6aa2c962
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx
new file mode 100644
index 00000000..348f3723
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
new file mode 100644
index 00000000..f648c59d
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx
new file mode 100644
index 00000000..1fe952b9
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
new file mode 100644
index 00000000..13c1e002
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_DCOM_ShellBrowserWindow_ShellWindows.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_DCOM_ShellBrowserWindow_ShellWindows.evtx
new file mode 100644
index 00000000..0ec49e4f
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_DCOM_ShellBrowserWindow_ShellWindows.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
new file mode 100644
index 00000000..a7a62972
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx
new file mode 100644
index 00000000..3a7c4e42
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx
new file mode 100644
index 00000000..f53ca16a
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
new file mode 100644
index 00000000..5516c3bc
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx
new file mode 100644
index 00000000..6728e9e7
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_target_wrmlogs_91_wsmanShellStarted_poorLog.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_target_wrmlogs_91_wsmanShellStarted_poorLog.evtx
new file mode 100644
index 00000000..8fc51c65
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_target_wrmlogs_91_wsmanShellStarted_poorLog.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
new file mode 100644
index 00000000..eb06ae41
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
new file mode 100644
index 00000000..f4ec0d52
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_xp_cmdshell_MSSQL_Events.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_xp_cmdshell_MSSQL_Events.evtx
new file mode 100644
index 00000000..53d1177c
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_xp_cmdshell_MSSQL_Events.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/MSSQL_15281_xp_cmdshell_exec_failed_attempt.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/MSSQL_15281_xp_cmdshell_exec_failed_attempt.evtx
new file mode 100644
index 00000000..68decb61
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/MSSQL_15281_xp_cmdshell_exec_failed_attempt.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/RemotePowerShell_MS_Windows-Remote_Management_EventID_169.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/RemotePowerShell_MS_Windows-Remote_Management_EventID_169.evtx
new file mode 100644
index 00000000..c718e617
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/RemotePowerShell_MS_Windows-Remote_Management_EventID_169.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/dfir_rdpsharp_target_RdpCoreTs_168_68_131.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/dfir_rdpsharp_target_RdpCoreTs_168_68_131.evtx
new file mode 100644
index 00000000..aed91789
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/dfir_rdpsharp_target_RdpCoreTs_168_68_131.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lateral_movement_startup_3_11.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lateral_movement_startup_3_11.evtx
new file mode 100644
index 00000000..143c1290
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lateral_movement_startup_3_11.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx
new file mode 100644
index 00000000..6222ea48
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
new file mode 100644
index 00000000..3bdc2510
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/net_share_drive_5142.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/net_share_drive_5142.evtx
new file mode 100644
index 00000000..5df90837
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/net_share_drive_5142.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
new file mode 100644
index 00000000..56a2acbd
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx
new file mode 100644
index 00000000..9e2aee63
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx
new file mode 100644
index 00000000..08657225
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx
new file mode 100644
index 00000000..702fed92
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smb_bi_auth_conn_spoolsample.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smb_bi_auth_conn_spoolsample.evtx
new file mode 100644
index 00000000..c3f44db2
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smb_bi_auth_conn_spoolsample.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
new file mode 100644
index 00000000..5c863374
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/spoolsample_5145.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/spoolsample_5145.evtx
new file mode 100644
index 00000000..28c41f6e
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/spoolsample_5145.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx
new file mode 100644
index 00000000..59582f9b
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx
new file mode 100644
index 00000000..dc12dd88
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
new file mode 100644
index 00000000..201f7d98
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Network_Service_Guest_added_to_admins_4732.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Network_Service_Guest_added_to_admins_4732.evtx
new file mode 100644
index 00000000..e0486886
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Network_Service_Guest_added_to_admins_4732.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Shime_Microsoft-Windows-Application-Experience_Program-Telemetry_500.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Shime_Microsoft-Windows-Application-Experience_Program-Telemetry_500.evtx
new file mode 100644
index 00000000..e0183d0d
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Shime_Microsoft-Windows-Application-Experience_Program-Telemetry_500.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Winsock_Catalog Change EventId_1.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Winsock_Catalog Change EventId_1.evtx
new file mode 100644
index 00000000..b1df6ab1
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Winsock_Catalog Change EventId_1.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/evasion_persis_hidden_run_keyvalue_sysmon_13.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/evasion_persis_hidden_run_keyvalue_sysmon_13.evtx
new file mode 100644
index 00000000..936196bc
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/evasion_persis_hidden_run_keyvalue_sysmon_13.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_bitsadmin_Microsoft-Windows-Bits-Client-Operational.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_bitsadmin_Microsoft-Windows-Bits-Client-Operational.evtx
new file mode 100644
index 00000000..ad17cfff
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_bitsadmin_Microsoft-Windows-Bits-Client-Operational.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
new file mode 100644
index 00000000..51efc5a1
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_turla_outlook_backdoor_comhijack.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_turla_outlook_backdoor_comhijack.evtx
new file mode 100644
index 00000000..a36697d6
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_turla_outlook_backdoor_comhijack.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_valid_account_guest_rid_hijack.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_valid_account_guest_rid_hijack.evtx
new file mode 100644
index 00000000..32d315ed
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_valid_account_guest_rid_hijack.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
new file mode 100644
index 00000000..56a115b7
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
new file mode 100644
index 00000000..eac7b71b
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_hidden_local_account_sysmon.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_hidden_local_account_sysmon.evtx
new file mode 100644
index 00000000..d2da07e5
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_hidden_local_account_sysmon.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_pendingGPO_sysmon_13.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_pendingGPO_sysmon_13.evtx
new file mode 100644
index 00000000..a47de79d
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_pendingGPO_sysmon_13.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_security_dcshadow_4742.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_security_dcshadow_4742.evtx
new file mode 100644
index 00000000..916a3f4a
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_security_dcshadow_4742.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_startup_UserShellStartup_Folder_Changed_sysmon_13.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_startup_UserShellStartup_Folder_Changed_sysmon_13.evtx
new file mode 100644
index 00000000..e28478b3
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_startup_UserShellStartup_Folder_Changed_sysmon_13.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
new file mode 100644
index 00000000..c1dd99bb
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
new file mode 100644
index 00000000..1eac3dc5
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
new file mode 100644
index 00000000..877602a7
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_smss_child_proc_bootexecute_setupexecute.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_smss_child_proc_bootexecute_setupexecute.evtx
new file mode 100644
index 00000000..b433c8f8
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_smss_child_proc_bootexecute_setupexecute.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
new file mode 100644
index 00000000..d16afb07
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx
new file mode 100644
index 00000000..781f15c3
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_local_account_creation_and_added_admingroup_12_13.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
new file mode 100644
index 00000000..187e28c0
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4624 LT3 AnonymousLogon Localhost - JuicyPotato.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4624 LT3 AnonymousLogon Localhost - JuicyPotato.evtx
new file mode 100644
index 00000000..1d5793b3
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4624 LT3 AnonymousLogon Localhost - JuicyPotato.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4765_sidhistory_add_t1178.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4765_sidhistory_add_t1178.evtx
new file mode 100644
index 00000000..2deb14fb
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4765_sidhistory_add_t1178.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx
new file mode 100644
index 00000000..6d7a5aa4
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
new file mode 100644
index 00000000..9f0192d4
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx
new file mode 100644
index 00000000..6d4b5de0
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_CVE-2020-1313_Sysmon_13_UScheduler_Cmdline.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_CVE-2020-1313_Sysmon_13_UScheduler_Cmdline.evtx
new file mode 100644
index 00000000..3735cbcb
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_CVE-2020-1313_Sysmon_13_UScheduler_Cmdline.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
new file mode 100644
index 00000000..ad7117b3
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_NetSvc_SessionToken_Retrival_via_localSMB_Auth_5145.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_NetSvc_SessionToken_Retrival_via_localSMB_Auth_5145.evtx
new file mode 100644
index 00000000..7ea3f150
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_NetSvc_SessionToken_Retrival_via_localSMB_Auth_5145.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_SeImpersonatePriv_enabled_back_for_upnp_localsvc_4698.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_SeImpersonatePriv_enabled_back_for_upnp_localsvc_4698.evtx
new file mode 100644
index 00000000..2dfb0afb
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_SeImpersonatePriv_enabled_back_for_upnp_localsvc_4698.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
new file mode 100644
index 00000000..0eb7f0ad
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx
new file mode 100644
index 00000000..3a55bb80
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx
new file mode 100644
index 00000000..c8caa190
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
new file mode 100644
index 00000000..62675b25
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
new file mode 100644
index 00000000..6bb68c53
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
new file mode 100644
index 00000000..3f128695
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
new file mode 100644
index 00000000..379cd8cd
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
new file mode 100644
index 00000000..093970db
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
new file mode 100644
index 00000000..524b4890
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
new file mode 100644
index 00000000..ef0306e2
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
new file mode 100644
index 00000000..c4e4df7d
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
new file mode 100644
index 00000000..39819e49
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
new file mode 100644
index 00000000..755c581a
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
new file mode 100644
index 00000000..165a9fe9
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
new file mode 100644
index 00000000..75825cfd
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
new file mode 100644
index 00000000..310b7dec
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
new file mode 100644
index 00000000..1c0a5f38
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
new file mode 100644
index 00000000..b4a09ab3
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
new file mode 100644
index 00000000..b3eb74e3
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
new file mode 100644
index 00000000..d6572052
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx
new file mode 100644
index 00000000..35bab650
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
new file mode 100644
index 00000000..7e44ea6e
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
new file mode 100644
index 00000000..58a1379e
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/System_7045_namedpipe_privesc.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/System_7045_namedpipe_privesc.evtx
new file mode 100644
index 00000000..2c450a19
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/System_7045_namedpipe_privesc.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
new file mode 100644
index 00000000..f6bad85d
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_61_Changepk.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_61_Changepk.evtx
new file mode 100644
index 00000000..9a6f7c89
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_61_Changepk.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
new file mode 100644
index 00000000..01258655
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx
new file mode 100644
index 00000000..2734fd81
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_registry_symlink_CVE-2020-1377.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
new file mode 100644
index 00000000..c1c5503d
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
new file mode 100644
index 00000000..41e0bffb
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
new file mode 100644
index 00000000..73050c35
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
new file mode 100644
index 00000000..6b275277
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx
new file mode 100644
index 00000000..1cc979d2
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
new file mode 100644
index 00000000..cdfaf0ac
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx
new file mode 100644
index 00000000..512b5bbd
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx
new file mode 100644
index 00000000..28a0ada3
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
new file mode 100644
index 00000000..fb6b357b
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
new file mode 100644
index 00000000..856c297c
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
new file mode 100644
index 00000000..d0e4584a
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx
new file mode 100644
index 00000000..a0ebad44
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
new file mode 100644
index 00000000..d5527b8e
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx
new file mode 100644
index 00000000..893098b3
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
new file mode 100644
index 00000000..c89dc0f8
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
new file mode 100644
index 00000000..7438bb72
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx
new file mode 100644
index 00000000..3c41ce92
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
new file mode 100644
index 00000000..f8f8cfa5
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
new file mode 100644
index 00000000..1845e33a
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
new file mode 100644
index 00000000..4e921ae7
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
new file mode 100644
index 00000000..9030d41c
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx
new file mode 100644
index 00000000..27109d85
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
new file mode 100644
index 00000000..fff75b45
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx
new file mode 100644
index 00000000..b4f45dc6
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/win10_4703_SeDebugPrivilege_enabled.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/win10_4703_SeDebugPrivilege_enabled.evtx
new file mode 100644
index 00000000..4f15a576
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/win10_4703_SeDebugPrivilege_enabled.evtx differ
diff --git a/sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx b/sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
new file mode 100644
index 00000000..f6bad85d
Binary files /dev/null and b/sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx b/sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
new file mode 100644
index 00000000..3d016c16
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1151-Defender health status.evtx b/sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1151-Defender health status.evtx
new file mode 100644
index 00000000..36f49708
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1151-Defender health status.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx b/sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx
new file mode 100644
index 00000000..9874110a
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx b/sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx
new file mode 100644
index 00000000..d1075cc5
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx b/sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx
new file mode 100644
index 00000000..b7c0379b
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx b/sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx
new file mode 100644
index 00000000..69d86e53
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx b/sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx
new file mode 100644
index 00000000..f9c82d60
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx b/sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx
new file mode 100644
index 00000000..7d5ef39b
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx b/sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx
new file mode 100644
index 00000000..ae6b7890
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx b/sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx
new file mode 100644
index 00000000..a2657351
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID33205-SQL Server failed login with disabled SA account.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID33205-SQL Server failed login with disabled SA account.evtx
new file mode 100644
index 00000000..b35a6f4d
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID33205-SQL Server failed login with disabled SA account.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID4625-brutfoce with denied access due to account restriction.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID4625-brutfoce with denied access due to account restriction.evtx
new file mode 100644
index 00000000..68b9ef68
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID4625-brutfoce with denied access due to account restriction.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx
new file mode 100644
index 00000000..bb41d702
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMIexec process execution.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMIexec process execution.evtx
new file mode 100644
index 00000000..f8a2a2c4
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMIexec process execution.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
new file mode 100644
index 00000000..9f32603e
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-4698 Persistent scheduled task with SYSTEM privileges creation.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-4698 Persistent scheduled task with SYSTEM privileges creation.evtx
new file mode 100644
index 00000000..e489d51f
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-4698 Persistent scheduled task with SYSTEM privileges creation.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-Interactive shell using AT schedule task.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-Interactive shell using AT schedule task.evtx
new file mode 100644
index 00000000..7a485bfc
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-Interactive shell using AT schedule task.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-Scheduled task creation.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-Scheduled task creation.evtx
new file mode 100644
index 00000000..97d03167
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4688-Scheduled task creation.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by ATexec (susp. arg.).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by ATexec (susp. arg.).evtx
new file mode 100644
index 00000000..a39df1f8
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by ATexec (susp. arg.).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by SMBexec (sups. arg.).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by SMBexec (sups. arg.).evtx
new file mode 100644
index 00000000..35587506
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by SMBexec (sups. arg.).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx
new file mode 100644
index 00000000..d551b4fc
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
new file mode 100644
index 00000000..9770b6f8
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx
new file mode 100644
index 00000000..2d30d801
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID800-4103-Interactive PipeShell over named pipe (server and client).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx
new file mode 100644
index 00000000..b7ec571b
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.003-Windows Command Shell/ID4688-SQL Server payload injectection for reverse shell (MSF).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID5145-remote service creation over SMB.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID5145-remote service creation over SMB.evtx
new file mode 100644
index 00000000..564517ae
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID5145-remote service creation over SMB.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID5145-service massive remote creation via named pipe - Tchopper.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID5145-service massive remote creation via named pipe - Tchopper.evtx
new file mode 100644
index 00000000..e38a399d
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID5145-service massive remote creation via named pipe - Tchopper.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx
new file mode 100644
index 00000000..bcf84318
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7000,7009,7045-Payload deployed via service - Tchopper.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7009-Service deployment time out (meterpreter).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7009-Service deployment time out (meterpreter).evtx
new file mode 100644
index 00000000..8c7c7402
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID7009-Service deployment time out (meterpreter).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/ID13-WMIimplant registry crash control.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/ID13-WMIimplant registry crash control.evtx
new file mode 100644
index 00000000..581d0fff
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/ID13-WMIimplant registry crash control.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID33205-SQL Server member added to database role.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID33205-SQL Server member added to database role.evtx
new file mode 100644
index 00000000..cde43371
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID33205-SQL Server member added to database role.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID33205-SQL Server member added to server role.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID33205-SQL Server member added to server role.evtx
new file mode 100644
index 00000000..185d03e1
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID33205-SQL Server member added to server role.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID33205-SQL Server user linked to a database.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID33205-SQL Server user linked to a database.evtx
new file mode 100644
index 00000000..b72a753c
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID33205-SQL Server user linked to a database.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4688-SPN added to an account.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4688-SPN added to an account.evtx
new file mode 100644
index 00000000..200e4bed
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4688-SPN added to an account.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx
new file mode 100644
index 00000000..83963e28
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
new file mode 100644
index 00000000..fa62cb4c
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Member adding to a group by the same account.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Member adding to a group by the same account.evtx
new file mode 100644
index 00000000..74a0b72c
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Member adding to a group by the same account.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-4733-Quick added-removed user from local group.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-4733-Quick added-removed user from local group.evtx
new file mode 100644
index 00000000..add1d076
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-4733-Quick added-removed user from local group.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-DNSadmin new member added.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-DNSadmin new member added.evtx
new file mode 100644
index 00000000..a0abc23d
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-DNSadmin new member added.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-User added to local admin groups.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-User added to local admin groups.evtx
new file mode 100644
index 00000000..27814159
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-User added to local admin groups.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,4781-User renamed to admin or likely.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,4781-User renamed to admin or likely.evtx
new file mode 100644
index 00000000..9defcd7c
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,4781-User renamed to admin or likely.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,5136-SPN set on user account.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,5136-SPN set on user account.evtx
new file mode 100644
index 00000000..1514aaea
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,5136-SPN set on user account.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Account is sensitive and cannot be delegated.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Account is sensitive and cannot be delegated.evtx
new file mode 100644
index 00000000..3abdabb7
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Account is sensitive and cannot be delegated.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Account with password not required.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Account with password not required.evtx
new file mode 100644
index 00000000..e35c1561
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Account with password not required.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Do not require Kerberos preauthentication.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Do not require Kerberos preauthentication.evtx
new file mode 100644
index 00000000..765263c4
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Do not require Kerberos preauthentication.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Password cannot be changed.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Password cannot be changed.evtx
new file mode 100644
index 00000000..6890e9f9
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Password cannot be changed.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Password never expires.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Password never expires.evtx
new file mode 100644
index 00000000..b5e0d13e
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Password never expires.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Use only Kerberos DES encryption types.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Use only Kerberos DES encryption types.evtx
new file mode 100644
index 00000000..a3f5937a
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Use only Kerberos DES encryption types.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-User set with reversible psw encryption.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-User set with reversible psw encryption.evtx
new file mode 100644
index 00000000..0ee7e4f9
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-User set with reversible psw encryption.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to any service, Kerberos only).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to any service, Kerberos only).evtx
new file mode 100644
index 00000000..92ec77c5
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to any service, Kerberos only).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx
new file mode 100644
index 00000000..3b842748
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx
new file mode 100644
index 00000000..af961dda
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-SPN set on computer account.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-SPN set on computer account.evtx
new file mode 100644
index 00000000..52a4de11
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-SPN set on computer account.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742-SPN set on computer account (DCshadow).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742-SPN set on computer account (DCshadow).evtx
new file mode 100644
index 00000000..07972c1e
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742-SPN set on computer account (DCshadow).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4756-Exchange admin group change.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4756-Exchange admin group change.evtx
new file mode 100644
index 00000000..e517acfe
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4756-Exchange admin group change.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID5136-4662 AD object owner changed.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID5136-4662 AD object owner changed.evtx
new file mode 100644
index 00000000..509ccc0f
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID5136-4662 AD object owner changed.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID33205-SQL Server Disabled SA user activated.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID33205-SQL Server Disabled SA user activated.evtx
new file mode 100644
index 00000000..24d9fd06
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID33205-SQL Server Disabled SA user activated.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID33205-SQL Server local user created.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID33205-SQL Server local user created.evtx
new file mode 100644
index 00000000..7769ce5b
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID33205-SQL Server local user created.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4688-User creation via commandline.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4688-User creation via commandline.evtx
new file mode 100644
index 00000000..1e78efee
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4688-User creation via commandline.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-4726 Fast created-deleted user.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-4726 Fast created-deleted user.evtx
new file mode 100644
index 00000000..f6028278
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-4726 Fast created-deleted user.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Admin like user created.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Admin like user created.evtx
new file mode 100644
index 00000000..f2a2845b
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Admin like user created.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx
new file mode 100644
index 00000000..ae1a0441
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Local user created.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Local user created.evtx
new file mode 100644
index 00000000..2e140154
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Local user created.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4722-Guest account activated.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4722-Guest account activated.evtx
new file mode 100644
index 00000000..5420f2ce
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4722-Guest account activated.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4742-4743-Fast created & deleted computer account.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4742-4743-Fast created & deleted computer account.evtx
new file mode 100644
index 00000000..39cf46ef
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4742-4743-Fast created & deleted computer account.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID3-59-60-BITS job created.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID3-59-60-BITS job created.evtx
new file mode 100644
index 00000000..01bf3c6e
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID3-59-60-BITS job created.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID4688-BITS transfer initiated.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID4688-BITS transfer initiated.evtx
new file mode 100644
index 00000000..3d67ddaf
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID4688-BITS transfer initiated.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID60-High volume file downloaded with BITS.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID60-High volume file downloaded with BITS.evtx
new file mode 100644
index 00000000..78f556dc
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID60-High volume file downloaded with BITS.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx
new file mode 100644
index 00000000..a1a9e360
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID11-Exchange transport config modified.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID11-Exchange transport config modified.evtx
new file mode 100644
index 00000000..e1b34ee3
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID11-Exchange transport config modified.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID6-Failed to install an Exchange transport agent.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID6-Failed to install an Exchange transport agent.evtx
new file mode 100644
index 00000000..070faa96
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID6-Failed to install an Exchange transport agent.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID11715-SQL Server started in single mode for psw recovery.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID11715-SQL Server started in single mode for psw recovery.evtx
new file mode 100644
index 00000000..4a552de2
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID11715-SQL Server started in single mode for psw recovery.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID15457-SQL Server CMDshell enabled.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID15457-SQL Server CMDshell enabled.evtx
new file mode 100644
index 00000000..c6f354f1
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID15457-SQL Server CMDshell enabled.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID15457-SQL server CLR lateral movement.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID15457-SQL server CLR lateral movement.evtx
new file mode 100644
index 00000000..bd6ba00b
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID15457-SQL server CLR lateral movement.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID4688-SQL Server started in single mode for psw recovery.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID4688-SQL Server started in single mode for psw recovery.evtx
new file mode 100644
index 00000000..2538587f
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID4688-SQL Server started in single mode for psw recovery.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID4688-sqlcmd tool abuse in SQL Server.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID4688-sqlcmd tool abuse in SQL Server.evtx
new file mode 100644
index 00000000..85c1ad4a
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505.001-SQL Stored Procedures/ID4688-sqlcmd tool abuse in SQL Server.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID13-New service for Mimikatz.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID13-New service for Mimikatz.evtx
new file mode 100644
index 00000000..ddbd94c8
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID13-New service for Mimikatz.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx
new file mode 100644
index 00000000..570d79a5
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Command SC to create service on remote host.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Command SC to create service on remote host.evtx
new file mode 100644
index 00000000..ff9591a9
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Command SC to create service on remote host.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with Failure Command.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with Failure Command.evtx
new file mode 100644
index 00000000..6ab7692a
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with Failure Command.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with malicious path.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with malicious path.evtx
new file mode 100644
index 00000000..1b4aad92
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service abuse with malicious path.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service created (command).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service created (command).evtx
new file mode 100644
index 00000000..4a7bab6f
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service created (command).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service permissions modified (registry).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service permissions modified (registry).evtx
new file mode 100644
index 00000000..03d0cbe5
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service permissions modified (registry).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service permissions modified (sc).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service permissions modified (sc).evtx
new file mode 100644
index 00000000..d12fc08b
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-Service permissions modified (sc).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx
new file mode 100644
index 00000000..20667679
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx
new file mode 100644
index 00000000..ae062361
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-7036 PSexec service installation.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-7036 PSexec service installation.evtx
new file mode 100644
index 00000000..d20e2e1e
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-7036 PSexec service installation.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
new file mode 100644
index 00000000..c8ad382b
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-Random service installation.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-Random service installation.evtx
new file mode 100644
index 00000000..121e8d3e
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-Random service installation.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with Failure Command.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with Failure Command.evtx
new file mode 100644
index 00000000..ec65c8eb
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with Failure Command.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with malicious path.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with malicious path.evtx
new file mode 100644
index 00000000..3d5a92ec
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service abuse with malicious path.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service creation (PowerShell).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service creation (PowerShell).evtx
new file mode 100644
index 00000000..bb0146c3
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID800-4103-4104-Service creation (PowerShell).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID19-20-WMI registration via PowerLurk.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID19-20-WMI registration via PowerLurk.evtx
new file mode 100644
index 00000000..6f559bc7
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID19-20-WMI registration via PowerLurk.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx
new file mode 100644
index 00000000..840d3109
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID5136-AdminSDholder backdoor obfuscation (via localizationDisplayId).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID5136-AdminSDholder backdoor obfuscation (via localizationDisplayId).evtx
new file mode 100644
index 00000000..f6adf349
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID5136-AdminSDholder backdoor obfuscation (via localizationDisplayId).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID5136-AdminSDholder permissions changed.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID5136-AdminSDholder permissions changed.evtx
new file mode 100644
index 00000000..84bb39fb
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID5136-AdminSDholder permissions changed.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID800-4103-4104-WMI registration via PowerLurk.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID800-4103-4104-WMI registration via PowerLurk.evtx
new file mode 100644
index 00000000..f864a0dd
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID800-4103-4104-WMI registration via PowerLurk.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1547-Boot or Logon Autostart Execution/ID4622-New SSP loaded in LSA (only legitim).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1547-Boot or Logon Autostart Execution/ID4622-New SSP loaded in LSA (only legitim).evtx
new file mode 100644
index 00000000..ef71177e
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1547-Boot or Logon Autostart Execution/ID4622-New SSP loaded in LSA (only legitim).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
new file mode 100644
index 00000000..f24d2973
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx
new file mode 100644
index 00000000..7a87582f
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx
new file mode 100644
index 00000000..39921c90
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID800-4103-4104-Print spooler privilege escalation (CVE-2020-1048).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID800-4103-4104-Print spooler privilege escalation (CVE-2020-1048).evtx
new file mode 100644
index 00000000..157db7da
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID800-4103-4104-Print spooler privilege escalation (CVE-2020-1048).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4704-4705-User righ assigned to account.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4704-4705-User righ assigned to account.evtx
new file mode 100644
index 00000000..10312d3a
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4704-4705-User righ assigned to account.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4717-4718-System security granded to account.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4717-4718-System security granded to account.evtx
new file mode 100644
index 00000000..9f276ea7
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1134-Access Token Manipulation/ID4717-4718-System security granded to account.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1484.001-Domain Policy Modification-Group Policy Modification/ID5136-4662 sensitive GPO edited.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1484.001-Domain Policy Modification-Group Policy Modification/ID5136-4662 sensitive GPO edited.evtx
new file mode 100644
index 00000000..c524b1b4
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1484.001-Domain Policy Modification-Group Policy Modification/ID5136-4662 sensitive GPO edited.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx
new file mode 100644
index 00000000..3073ca4b
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID11-New sethc file created from CMD copy.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID11-New sethc file created from CMD copy.evtx
new file mode 100644
index 00000000..980637ce
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID11-New sethc file created from CMD copy.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx
new file mode 100644
index 00000000..e2bbaadd
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4656-Failed sethc replacement by CMD.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4656-Failed sethc replacement by CMD.evtx
new file mode 100644
index 00000000..1b688c13
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4656-Failed sethc replacement by CMD.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4688-Stickey command reg update + execution.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4688-Stickey command reg update + execution.evtx
new file mode 100644
index 00000000..085b7fe6
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4688-Stickey command reg update + execution.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/1-Print spool spawned a CMD shell (PrintNightMare).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/1-Print spool spawned a CMD shell (PrintNightMare).evtx
new file mode 100644
index 00000000..dc1c1b58
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/1-Print spool spawned a CMD shell (PrintNightMare).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx
new file mode 100644
index 00000000..54f2fa77
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx
new file mode 100644
index 00000000..531c2697
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx
new file mode 100644
index 00000000..56b237f5
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1027-Obfuscated Files or Information/ID4688-Obfuscated payload transfer via service name - Tchopper.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
new file mode 100644
index 00000000..952fb786
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt.evtx
new file mode 100644
index 00000000..fd345376
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID4688-Clear event log attempt.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID800-4103-4104-Clear event log attempt.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID800-4103-4104-Clear event log attempt.evtx
new file mode 100644
index 00000000..92bea99e
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID800-4103-4104-Clear event log attempt.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-Time changed.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-Time changed.evtx
new file mode 100644
index 00000000..63f495d9
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-Time changed.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID33205-SQL Server  audit object disabled.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID33205-SQL Server  audit object disabled.evtx
new file mode 100644
index 00000000..f45637a0
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID33205-SQL Server  audit object disabled.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID33205-SQL Server Database audit specification deleted.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID33205-SQL Server Database audit specification deleted.evtx
new file mode 100644
index 00000000..050a2f54
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID33205-SQL Server Database audit specification deleted.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID33205-SQL Server Database audit specification disabled.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID33205-SQL Server Database audit specification disabled.evtx
new file mode 100644
index 00000000..292c4302
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID33205-SQL Server Database audit specification disabled.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID33205-SQL Server audit object deleted.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID33205-SQL Server audit object deleted.evtx
new file mode 100644
index 00000000..68ea75fb
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID33205-SQL Server audit object deleted.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID33205-SQL Server audit specification deleted.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID33205-SQL Server audit specification deleted.evtx
new file mode 100644
index 00000000..002353ae
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID33205-SQL Server audit specification deleted.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID33205-SQL Server audit specification disabled.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID33205-SQL Server audit specification disabled.evtx
new file mode 100644
index 00000000..78665f27
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID33205-SQL Server audit specification disabled.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4688-Audit policy clear attempt.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4688-Audit policy clear attempt.evtx
new file mode 100644
index 00000000..e695ab19
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4688-Audit policy clear attempt.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4688-Audit policy deactivation attempt.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4688-Audit policy deactivation attempt.evtx
new file mode 100644
index 00000000..fe52fe47
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4688-Audit policy deactivation attempt.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
new file mode 100644
index 00000000..eb15496b
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4739-Domain policy changed by non system account.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4739-Domain policy changed by non system account.evtx
new file mode 100644
index 00000000..ecff20c5
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4739-Domain policy changed by non system account.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4908-Special group table changed.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4908-Special group table changed.evtx
new file mode 100644
index 00000000..972429e7
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4908-Special group table changed.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1078.002-Valid accounts-Domain accounts/ID4964-Login of a member of a special group.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1078.002-Valid accounts-Domain accounts/ID4964-Login of a member of a special group.evtx
new file mode 100644
index 00000000..360967f9
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1078.002-Valid accounts-Domain accounts/ID4964-Login of a member of a special group.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID11,13-WMIexec service registration.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID11,13-WMIexec service registration.evtx
new file mode 100644
index 00000000..30d32e31
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1112-Modify registry/ID11,13-WMIexec service registration.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1140-Deobfuscate-Decode Files or Information/ID4688-Certutil download.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1140-Deobfuscate-Decode Files or Information/ID4688-Certutil download.evtx
new file mode 100644
index 00000000..f2b095f9
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1140-Deobfuscate-Decode Files or Information/ID4688-Certutil download.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1207-Rogue domain controller/ID4662-Sensitive attributes accessed (DCshadow).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1207-Rogue domain controller/ID4662-Sensitive attributes accessed (DCshadow).evtx
new file mode 100644
index 00000000..22de9b64
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1207-Rogue domain controller/ID4662-Sensitive attributes accessed (DCshadow).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1207-Rogue domain controller/ID5137-Fake domain controller registration (DCshadow).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1207-Rogue domain controller/ID5137-Fake domain controller registration (DCshadow).evtx
new file mode 100644
index 00000000..051b9836
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1207-Rogue domain controller/ID5137-Fake domain controller registration (DCshadow).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5124-OCSP security settings changed.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5124-OCSP security settings changed.evtx
new file mode 100644
index 00000000..bcbfcadd
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5124-OCSP security settings changed.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on OU by computer.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on OU by computer.evtx
new file mode 100644
index 00000000..a2a09737
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on OU by computer.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on OU by user.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on OU by user.evtx
new file mode 100644
index 00000000..199612e6
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on OU by user.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on top root AD (DCsync).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on top root AD (DCsync).evtx
new file mode 100644
index 00000000..65658149
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on top root AD (DCsync).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permissions changed on a GPO.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permissions changed on a GPO.evtx
new file mode 100644
index 00000000..6b0cbb95
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permissions changed on a GPO.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx
new file mode 100644
index 00000000..248ea40a
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender critical features disabled (command).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender critical features disabled (command).evtx
new file mode 100644
index 00000000..3750964f
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender critical features disabled (command).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender service deactivation attempt.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender service deactivation attempt.evtx
new file mode 100644
index 00000000..02d9ab47
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID4688-Defender service deactivation attempt.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx
new file mode 100644
index 00000000..8345ee93
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx
new file mode 100644
index 00000000..401a5382
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender critical features disabled (PowerShell).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender default action allow any (PowerShell).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender default action allow any (PowerShell).evtx
new file mode 100644
index 00000000..bbd9cc8a
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender default action allow any (PowerShell).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx
new file mode 100644
index 00000000..69561890
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID800-4103-4104 Defender exclusion added (PowerShell).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx
new file mode 100644
index 00000000..ce948298
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2004-Any any firewall rule created.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2004-Any any firewall rule created.evtx
new file mode 100644
index 00000000..90be3c7e
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2004-Any any firewall rule created.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2004-New firewall rule created by PowerShell.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2004-New firewall rule created by PowerShell.evtx
new file mode 100644
index 00000000..7c26253e
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2004-New firewall rule created by PowerShell.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx
new file mode 100644
index 00000000..1d25a5a7
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4103-4104-2004-OpenSSH firewall rule activation.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx
new file mode 100644
index 00000000..8983c54b
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx
new file mode 100644
index 00000000..aee0b2d6
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1564-Hide artifacts/ID4688-Linux Subsystem installation (WSL).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1564-Hide artifacts/ID4688-Linux Subsystem installation (WSL).evtx
new file mode 100644
index 00000000..c806af8b
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1564-Hide artifacts/ID4688-Linux Subsystem installation (WSL).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
new file mode 100644
index 00000000..053dab60
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-Mimikatz LSA SSP clear text password exfiltration.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-Mimikatz LSA SSP clear text password exfiltration.evtx
new file mode 100644
index 00000000..3802bc5d
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID11-Mimikatz LSA SSP clear text password exfiltration.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID325-327-IFM created - ESENT.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID325-327-IFM created - ESENT.evtx
new file mode 100644
index 00000000..00241b3c
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID325-327-IFM created - ESENT.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx
new file mode 100644
index 00000000..8e4cd330
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
new file mode 100644
index 00000000..7bca1aed
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-4658 Mimikatz sekurlsa password dump SAM.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-4658 Mimikatz sekurlsa password dump SAM.evtx
new file mode 100644
index 00000000..3886cd36
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-4658 Mimikatz sekurlsa password dump SAM.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-Suspicious SAM access to password attributes by LSASS (Dcshadow).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-Suspicious SAM access to password attributes by LSASS (Dcshadow).evtx
new file mode 100644
index 00000000..03e76470
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-Suspicious SAM access to password attributes by LSASS (Dcshadow).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
new file mode 100644
index 00000000..74e569fa
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-Diskshadow abuse.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-Diskshadow abuse.evtx
new file mode 100644
index 00000000..a5906e3d
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-Diskshadow abuse.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-IFM created.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-IFM created.evtx
new file mode 100644
index 00000000..09648076
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-IFM created.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
new file mode 100644
index 00000000..0ab20974
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4756-Exchange critical group change (DCsync).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4756-Exchange critical group change (DCsync).evtx
new file mode 100644
index 00000000..c05ae392
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4756-Exchange critical group change (DCsync).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4794-4688-DSRM password set with NTDSutil.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4794-4688-DSRM password set with NTDSutil.evtx
new file mode 100644
index 00000000..50f68c1a
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4794-4688-DSRM password set with NTDSutil.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
new file mode 100644
index 00000000..870d9adc
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx
new file mode 100644
index 00000000..e1da3695
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1040-Traffic sniffing/ID-4688 Native Windows sniffer Pktmon usage.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID18456-SQL Server failed login because only Windows auth.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID18456-SQL Server failed login because only Windows auth.evtx
new file mode 100644
index 00000000..549200f2
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID18456-SQL Server failed login because only Windows auth.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID33205-SQL Server failed login because only Windows auth.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID33205-SQL Server failed login because only Windows auth.evtx
new file mode 100644
index 00000000..87f4abe6
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID33205-SQL Server failed login because only Windows auth.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID33205-SQL Server failed login with SA wrong password.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID33205-SQL Server failed login with SA wrong password.evtx
new file mode 100644
index 00000000..e1260699
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID33205-SQL Server failed login with SA wrong password.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID33205-SQL Server failed login with non existing accounts.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID33205-SQL Server failed login with non existing accounts.evtx
new file mode 100644
index 00000000..2c3e7ec7
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID33205-SQL Server failed login with non existing accounts.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4-OpenSSH brutforce with non existing user (sshd logs).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4-OpenSSH brutforce with non existing user (sshd logs).evtx
new file mode 100644
index 00000000..ea743cb6
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4-OpenSSH brutforce with non existing user (sshd logs).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4-OpenSSH brutforce with valid user.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4-OpenSSH brutforce with valid user.evtx
new file mode 100644
index 00000000..2d914a4e
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4-OpenSSH brutforce with valid user.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx
new file mode 100644
index 00000000..9a13e4df
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx
new file mode 100644
index 00000000..2fd1f31b
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx
new file mode 100644
index 00000000..50fe6b63
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
new file mode 100644
index 00000000..b5877012
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
new file mode 100644
index 00000000..cc9060a5
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
new file mode 100644
index 00000000..666cf337
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos AS-REP Roasting.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos AS-REP Roasting.evtx
new file mode 100644
index 00000000..b463d009
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos AS-REP Roasting.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
new file mode 100644
index 00000000..98eda9af
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
new file mode 100644
index 00000000..48c1aae6
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Audit policy enumerated.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Audit policy enumerated.evtx
new file mode 100644
index 00000000..916d381f
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Audit policy enumerated.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Firewall configuration enumerated (command).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Firewall configuration enumerated (command).evtx
new file mode 100644
index 00000000..e88fab9f
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Firewall configuration enumerated (command).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx
new file mode 100644
index 00000000..22c382a9
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID6004-DNS-server-failed zone transfer.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID6004-DNS-server-failed zone transfer.evtx
new file mode 100644
index 00000000..bf3ab947
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID6004-DNS-server-failed zone transfer.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx
new file mode 100644
index 00000000..1863991c
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID800-4103-4104-Firewall configuration enumerated (PowerShell).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4661-SAM domain users & groups discovery.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4661-SAM domain users & groups discovery.evtx
new file mode 100644
index 00000000..f5e0ab63
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4661-SAM domain users & groups discovery.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4688-Group discovery via commandline.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4688-Group discovery via commandline.evtx
new file mode 100644
index 00000000..10f9f11b
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4688-Group discovery via commandline.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
new file mode 100644
index 00000000..43d58d15
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Domain group discovery via PowerShell.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Domain group discovery via PowerShell.evtx
new file mode 100644
index 00000000..a40e6e8a
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Domain group discovery via PowerShell.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx
new file mode 100644
index 00000000..3faa516d
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID800-4103-4104-Local group discovery via PowerShell.evtx.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID1-SPN discovery (SYSMON process).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID1-SPN discovery (SYSMON process).evtx
new file mode 100644
index 00000000..6d6e2f45
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID1-SPN discovery (SYSMON process).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx
new file mode 100644
index 00000000..6fb68d0b
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4103-4104 - SPN discovery (moder nPowerShell).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
new file mode 100644
index 00000000..9bd3f2e6
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4688-List all Service Principal Names (SPN).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4688-List all Service Principal Names (SPN).evtx
new file mode 100644
index 00000000..200e4bed
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4688-List all Service Principal Names (SPN).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
new file mode 100644
index 00000000..cdd1f15e
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID800 - SPN discovery (PowerShell).evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID800 - SPN discovery (PowerShell).evtx
new file mode 100644
index 00000000..b495cd93
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID800 - SPN discovery (PowerShell).evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID4688-Network share discovery or connection via commandline.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID4688-Network share discovery or connection via commandline.evtx
new file mode 100644
index 00000000..e186d658
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID4688-Network share discovery or connection via commandline.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
new file mode 100644
index 00000000..753b3318
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
new file mode 100644
index 00000000..10c47fe3
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1201-Password Policy Discovery/ID4688-Password policy discovery via commandline.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1201-Password Policy Discovery/ID4688-Password policy discovery via commandline.evtx
new file mode 100644
index 00000000..b7d605bd
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1201-Password Policy Discovery/ID4688-Password policy discovery via commandline.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx
new file mode 100644
index 00000000..19f2ca69
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688,4778,4779 RDP hijack direct.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx
new file mode 100644
index 00000000..ac4eff4c
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4688-4778 RDP hijack command execution.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4825-Denied RDP connection with valid credentials.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4825-Denied RDP connection with valid credentials.evtx
new file mode 100644
index 00000000..0253412c
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4825-Denied RDP connection with valid credentials.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx
new file mode 100644
index 00000000..6817cf68
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688-Network share manipulation via commandline.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688-Network share manipulation via commandline.evtx
new file mode 100644
index 00000000..6aaf2e3b
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688-Network share manipulation via commandline.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5140-ADMIN$ share connection with Golden ticket.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5140-ADMIN$ share connection with Golden ticket.evtx
new file mode 100644
index 00000000..0108724e
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5140-ADMIN$ share connection with Golden ticket.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx
new file mode 100644
index 00000000..3614d952
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142-5143-Mimispool print share created and modified.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142-5143-Mimispool print share created and modified.evtx
new file mode 100644
index 00000000..08ce7c86
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142-5143-Mimispool print share created and modified.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5145-remote shell execution via SMB admin share.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5145-remote shell execution via SMB admin share.evtx
new file mode 100644
index 00000000..564517ae
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5145-remote shell execution via SMB admin share.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4103,4104-DCOMexec native via PowerShell.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4103,4104-DCOMexec native via PowerShell.evtx
new file mode 100644
index 00000000..b95a6825
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4103,4104-DCOMexec native via PowerShell.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx
new file mode 100644
index 00000000..61c7fe81
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4-OpenSSH server listening.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4-OpenSSH server listening.evtx
new file mode 100644
index 00000000..0f73e1dd
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4-OpenSSH server listening.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx
new file mode 100644
index 00000000..7dc4b12b
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server activation and config.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx
new file mode 100644
index 00000000..ca15e02c
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.004-Remote Service SSH/ID4103-4104-OpenSSH server install.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx
new file mode 100644
index 00000000..e500c68c
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
new file mode 100644
index 00000000..c3d6b35a
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx differ
diff --git a/sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1090-Proxy/ID4688-netsh port forwarding abuse.evtx b/sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1090-Proxy/ID4688-netsh port forwarding abuse.evtx
new file mode 100644
index 00000000..2d014a76
Binary files /dev/null and b/sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1090-Proxy/ID4688-netsh port forwarding abuse.evtx differ