Persistence detection question

[kyleEeeEEeeee]

Hello,

I ran "T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL" and "T1547.010 Boot or Logon Autostart Execution" and did not see any of the expected RPC traffic. I took a pcap and zeeked it with zeek 4.0. Do you all have an example or a pcap where these show up? Do you know why it didn't work for me? The first image is the results of Winlogon and the second is port monitor. Thanks!