gitextract_6lfx6dd0/ ├── .gitattributes ├── .github/ │ ├── FUNDING.yml │ ├── ISSUE_TEMPLATE/ │ │ ├── false_positive_report.yml │ │ └── rule_proposal.md │ ├── PULL_REQUEST_TEMPLATE.md │ ├── labeler.yml │ ├── latest_archiver_output.md │ └── workflows/ │ ├── goodlog-tests.yml │ ├── greetings.yml │ ├── known-FPs.csv │ ├── matchgrep.sh │ ├── pr-labeler.yml │ ├── ref-archiver.yml │ ├── regression-tests.yml │ ├── release.yml │ ├── sigma-rule-deprecated.yml │ ├── sigma-rule-promoter.yml │ ├── sigma-test.yml │ ├── sigma-validation.yml │ └── update-heatmap.yml ├── .gitignore ├── .yamllint ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── Releases.md ├── deprecated/ │ ├── README.md │ ├── cloud/ │ │ ├── azure_app_credential_modification.yml │ │ └── azure_app_permissions_for_api.yml │ ├── deprecated.csv │ ├── deprecated.json │ ├── linux/ │ │ ├── lnx_auditd_alter_bash_profile.yml │ │ ├── lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml │ │ └── lnx_space_after_filename_.yml │ ├── macos/ │ │ ├── proc_creation_macos_add_to_admin_group.yml │ │ └── proc_creation_macos_malware_amos_filegrabber_exec.yml │ ├── other/ │ │ └── generic_brute_force.yml │ ├── web/ │ │ ├── proxy_apt_domestic_kitten.yml │ │ ├── proxy_cobalt_amazon.yml │ │ ├── proxy_cobalt_malformed_uas.yml │ │ ├── proxy_cobalt_ocsp.yml │ │ ├── proxy_cobalt_onedrive.yml │ │ ├── proxy_ios_implant.yml │ │ └── proxy_webdav_search_ms.yml │ └── windows/ │ ├── create_remote_thread_win_susp_remote_thread_target.yml │ ├── driver_load_win_mal_creddumper.yml │ ├── driver_load_win_mal_poortry_driver.yml │ ├── driver_load_win_powershell_script_installed_as_service.yml │ ├── driver_load_win_vuln_avast_anti_rootkit_driver.yml │ ├── driver_load_win_vuln_dell_driver.yml │ ├── driver_load_win_vuln_drivers_names.yml │ ├── driver_load_win_vuln_gigabyte_driver.yml │ ├── driver_load_win_vuln_hw_driver.yml │ ├── driver_load_win_vuln_lenovo_driver.yml │ ├── file_event_win_access_susp_teams.yml │ ├── file_event_win_access_susp_unattend_xml.yml │ ├── file_event_win_crackmapexec_patterns.yml │ ├── file_event_win_hktl_createminidump.yml │ ├── file_event_win_lsass_memory_dump_file_creation.yml │ ├── file_event_win_mimikatz_memssp_log_file.yml │ ├── file_event_win_office_outlook_rdp_file_creation.yml │ ├── file_event_win_susp_clr_logs.yml │ ├── image_load_alternate_powershell_hosts_moduleload.yml │ ├── image_load_office_dsparse_dll_load.yml │ ├── image_load_office_kerberos_dll_load.yml │ ├── image_load_side_load_advapi32.yml │ ├── image_load_side_load_scm.yml │ ├── image_load_side_load_svchost_dlls.yml │ ├── image_load_susp_uncommon_image_load.yml │ ├── image_load_susp_winword_wmidll_load.yml │ ├── net_connection_win_binary_github_com.yml │ ├── net_connection_win_reddit_api_non_browser_access.yml │ ├── net_connection_win_susp_epmap.yml │ ├── pipe_created_psexec_pipes_artifacts.yml │ ├── posh_pm_powercat.yml │ ├── posh_ps_access_to_chrome_login_data.yml │ ├── posh_ps_azurehound_commands.yml │ ├── posh_ps_cl_invocation_lolscript.yml │ ├── posh_ps_cl_mutexverifiers_lolscript.yml │ ├── posh_ps_dnscat_execution.yml │ ├── posh_ps_exchange_mailbox_smpt_forwarding_rule.yml │ ├── posh_ps_file_and_directory_discovery.yml │ ├── posh_ps_invoke_nightmare.yml │ ├── posh_ps_susp_gwmi.yml │ ├── powershell_ps_susp_win32_shadowcopy.yml │ ├── powershell_suspicious_download.yml │ ├── powershell_suspicious_invocation_generic.yml │ ├── powershell_suspicious_invocation_specific.yml │ ├── powershell_syncappvpublishingserver_exe.yml │ ├── proc_access_win_in_memory_assembly_execution.yml │ ├── proc_access_win_lazagne_cred_dump_lsass_access.yml │ ├── proc_access_win_lsass_susp_access.yml │ ├── proc_access_win_pypykatz_cred_dump_lsass_access.yml │ ├── proc_access_win_susp_invoke_patchingapi.yml │ ├── proc_creation_win_apt_apt29_thinktanks.yml │ ├── proc_creation_win_apt_dragonfly.yml │ ├── proc_creation_win_apt_gallium.yml │ ├── proc_creation_win_apt_hurricane_panda.yml │ ├── proc_creation_win_apt_lazarus_activity_apr21.yml │ ├── proc_creation_win_apt_lazarus_loader.yml │ ├── proc_creation_win_apt_muddywater_dnstunnel.yml │ ├── proc_creation_win_apt_ta505_dropper.yml │ ├── proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml │ ├── proc_creation_win_certutil_susp_execution.yml │ ├── proc_creation_win_cmd_read_contents.yml │ ├── proc_creation_win_cmd_redirect_to_stream.yml │ ├── proc_creation_win_credential_acquisition_registry_hive_dumping.yml │ ├── proc_creation_win_cscript_vbs.yml │ ├── proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml │ ├── proc_creation_win_filefix_browsers.yml │ ├── proc_creation_win_indirect_cmd.yml │ ├── proc_creation_win_indirect_command_execution_forfiles.yml │ ├── proc_creation_win_invoke_obfuscation_via_rundll.yml │ ├── proc_creation_win_invoke_obfuscation_via_use_rundll32.yml │ ├── proc_creation_win_lolbas_execution_of_wuauclt.yml │ ├── proc_creation_win_lolbin_findstr.yml │ ├── proc_creation_win_lolbin_office.yml │ ├── proc_creation_win_lolbin_rdrleakdiag.yml │ ├── proc_creation_win_lolbins_by_office_applications.yml │ ├── proc_creation_win_mal_ryuk.yml │ ├── proc_creation_win_malware_trickbot_recon_activity.yml │ ├── proc_creation_win_mavinject_proc_inj.yml │ ├── proc_creation_win_msdt_diagcab.yml │ ├── proc_creation_win_new_service_creation.yml │ ├── proc_creation_win_nslookup_pwsh_download_cradle.yml │ ├── proc_creation_win_odbcconf_susp_exec.yml │ ├── proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml │ ├── proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml │ ├── proc_creation_win_office_spawning_wmi_commandline.yml │ ├── proc_creation_win_possible_applocker_bypass.yml │ ├── proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml │ ├── proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml │ ├── proc_creation_win_powershell_base64_listing_shadowcopy.yml │ ├── proc_creation_win_powershell_base64_shellcode.yml │ ├── proc_creation_win_powershell_bitsjob.yml │ ├── proc_creation_win_powershell_download_cradles.yml │ ├── proc_creation_win_powershell_service_modification.yml │ ├── proc_creation_win_powershell_susp_ps_downloadfile.yml │ ├── proc_creation_win_powershell_xor_encoded_command.yml │ ├── proc_creation_win_reg_dump_sam.yml │ ├── proc_creation_win_regsvr32_anomalies.yml │ ├── proc_creation_win_renamed_paexec.yml │ ├── proc_creation_win_renamed_powershell.yml │ ├── proc_creation_win_renamed_psexec.yml │ ├── proc_creation_win_renamed_rundll32.yml │ ├── proc_creation_win_root_certificate_installed.yml │ ├── proc_creation_win_run_from_zip.yml │ ├── proc_creation_win_rundll32_js_runhtmlapplication.yml │ ├── proc_creation_win_rundll32_script_run.yml │ ├── proc_creation_win_sc_delete_av_services.yml │ ├── proc_creation_win_schtasks_user_temp.yml │ ├── proc_creation_win_service_stop.yml │ ├── proc_creation_win_susp_bitstransfer.yml │ ├── proc_creation_win_susp_cmd_exectution_via_wmi.yml │ ├── proc_creation_win_susp_commandline_chars.yml │ ├── proc_creation_win_susp_lolbin_non_c_drive.yml │ ├── proc_creation_win_susp_run_folder.yml │ ├── proc_creation_win_susp_squirrel_lolbin.yml │ ├── proc_creation_win_sysinternals_psexec_service_execution.yml │ ├── proc_creation_win_sysinternals_psexesvc_start.yml │ ├── proc_creation_win_whoami_as_system.yml │ ├── proc_creation_win_whoami_execution.yml │ ├── proc_creation_win_winword_dll_load.yml │ ├── proc_creation_win_wmic_execution_via_office_process.yml │ ├── proc_creation_win_wmic_remote_command.yml │ ├── proc_creation_win_wmic_remote_service.yml │ ├── proc_creation_win_wuauclt_execution.yml │ ├── process_creation_syncappvpublishingserver_exe.yml │ ├── registry_add_sysinternals_sdelete_registry_keys.yml │ ├── registry_event_asep_reg_keys_modification.yml │ ├── registry_set_abusing_windows_telemetry_for_persistence.yml │ ├── registry_set_add_hidden_user.yml │ ├── registry_set_creation_service_uncommon_folder.yml │ ├── registry_set_disable_microsoft_office_security_features.yml │ ├── registry_set_malware_adwind.yml │ ├── registry_set_office_security.yml │ ├── registry_set_persistence_com_hijacking_susp_locations.yml │ ├── registry_set_persistence_search_order.yml │ ├── registry_set_silentprocessexit.yml │ ├── sysmon_accessing_winapi_in_powershell_credentials_dumping.yml │ ├── sysmon_dcom_iertutil_dll_hijack.yml │ ├── sysmon_mimikatz_detection_lsass.yml │ ├── sysmon_powershell_execution_moduleload.yml │ ├── sysmon_rclone_execution.yml │ ├── win_defender_disabled.yml │ ├── win_dsquery_domain_trust_discovery.yml │ ├── win_lateral_movement_condrv.yml │ ├── win_security_event_log_cleared.yml │ ├── win_security_group_modification_logging.yml │ ├── win_security_lolbas_execution_of_nltest.yml │ ├── win_security_windows_defender_exclusions_write_deleted.yml │ ├── win_susp_esentutl_activity.yml │ ├── win_susp_rclone_exec.yml │ ├── win_susp_vssadmin_ntds_activity.yml │ ├── win_system_service_install_susp_double_ampersand.yml │ └── win_system_susp_sam_dump.yml ├── documentation/ │ ├── README.md │ ├── logsource-guides/ │ │ ├── other/ │ │ │ └── antivirus.md │ │ └── windows/ │ │ ├── category/ │ │ │ ├── process_creation.md │ │ │ ├── ps_module.md │ │ │ ├── ps_script.md │ │ │ ├── registry_add.md │ │ │ ├── registry_delete.md │ │ │ ├── registry_event.md │ │ │ ├── registry_rename.md │ │ │ └── registry_set.md │ │ └── service/ │ │ ├── powershell.md │ │ └── security.md │ └── tools/ │ └── sigma-logsource-checker.py ├── other/ │ ├── godmode_sigma_rule.yml │ └── sigma_attack_nav_coverage.json ├── regression_data/ │ ├── rules/ │ │ └── windows/ │ │ ├── file/ │ │ │ └── file_event/ │ │ │ ├── file_event_win_advanced_ip_scanner/ │ │ │ │ ├── fed85bf9-e075-4280-9159-fbe8a023d6fa.evtx │ │ │ │ ├── fed85bf9-e075-4280-9159-fbe8a023d6fa.json │ │ │ │ └── info.yml │ │ │ ├── file_event_win_anydesk_artefact/ │ │ │ │ ├── 0b9ad457-2554-44c1-82c2-d56a99c42377.evtx │ │ │ │ ├── 0b9ad457-2554-44c1-82c2-d56a99c42377.json │ │ │ │ └── info.yml │ │ │ ├── file_event_win_create_evtx_non_common_locations/ │ │ │ │ ├── 65236ec7-ace0-4f0c-82fd-737b04fd4dcb.evtx │ │ │ │ ├── 65236ec7-ace0-4f0c-82fd-737b04fd4dcb.json │ │ │ │ └── info.yml │ │ │ ├── file_event_win_create_non_existent_dlls/ │ │ │ │ ├── df6ecb8b-7822-4f4b-b412-08f524b4576c.evtx │ │ │ │ ├── df6ecb8b-7822-4f4b-b412-08f524b4576c.json │ │ │ │ └── info.yml │ │ │ ├── file_event_win_creation_new_shim_database/ │ │ │ │ ├── ee63c85c-6d51-4d12-ad09-04e25877a947.evtx │ │ │ │ ├── ee63c85c-6d51-4d12-ad09-04e25877a947.json │ │ │ │ └── info.yml │ │ │ ├── file_event_win_creation_system_dll_files/ │ │ │ │ ├── 13c02350-4177-4e45-ac17-cf7ca628ff5e.evtx │ │ │ │ ├── 13c02350-4177-4e45-ac17-cf7ca628ff5e.json │ │ │ │ └── info.yml │ │ │ ├── file_event_win_creation_system_file/ │ │ │ │ ├── d5866ddf-ce8f-4aea-b28e-d96485a20d3d.evtx │ │ │ │ ├── d5866ddf-ce8f-4aea-b28e-d96485a20d3d.json │ │ │ │ └── info.yml │ │ │ ├── file_event_win_cred_dump_tools_dropped_files/ │ │ │ │ ├── 8fbf3271-1ef6-4e94-8210-03c2317947f6.evtx │ │ │ │ ├── 8fbf3271-1ef6-4e94-8210-03c2317947f6.json │ │ │ │ └── info.yml │ │ │ ├── file_event_win_dump_file_susp_creation/ │ │ │ │ ├── aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.evtx │ │ │ │ ├── aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.json │ │ │ │ └── info.yml │ │ │ ├── file_event_win_susp_legitimate_app_dropping_in_uncommon_location/ │ │ │ │ ├── 1cf465a1-2609-4c15-9b66-c32dbe4bfd67.evtx │ │ │ │ ├── 1cf465a1-2609-4c15-9b66-c32dbe4bfd67.json │ │ │ │ └── info.yml │ │ │ ├── file_event_win_susp_lnk_double_extension/ │ │ │ │ ├── 3215aa19-f060-4332-86d5-5602511f3ca8.evtx │ │ │ │ ├── 3215aa19-f060-4332-86d5-5602511f3ca8.json │ │ │ │ └── info.yml │ │ │ ├── file_event_win_susp_public_folder_extension/ │ │ │ │ ├── b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.evtx │ │ │ │ ├── b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.json │ │ │ │ └── info.yml │ │ │ ├── file_event_win_susp_recycle_bin_fake_exec/ │ │ │ │ ├── cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.evtx │ │ │ │ ├── cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.json │ │ │ │ └── info.yml │ │ │ └── file_event_win_taskmgr_lsass_dump/ │ │ │ ├── 69ca12af-119d-44ed-b50f-a47af0ebc364.evtx │ │ │ ├── 69ca12af-119d-44ed-b50f-a47af0ebc364.json │ │ │ └── info.yml │ │ ├── image_load/ │ │ │ ├── image_load_side_load_cpl_from_non_system_location/ │ │ │ │ ├── 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde.evtx │ │ │ │ ├── 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde.json │ │ │ │ └── info.yml │ │ │ └── image_load_win_susp_dbgcore_dbghelp_load/ │ │ │ ├── 416bc4a2-7217-4519-8dc7-c3271817f1d5.evtx │ │ │ ├── 416bc4a2-7217-4519-8dc7-c3271817f1d5.json │ │ │ └── info.yml │ │ ├── process_access/ │ │ │ ├── proc_access_win_susp_dbgcore_dbghelp_load/ │ │ │ │ ├── 9f5c1d59-33be-4e60-bcab-85d2f566effd.evtx │ │ │ │ ├── 9f5c1d59-33be-4e60-bcab-85d2f566effd.json │ │ │ │ └── info.yml │ │ │ └── proc_access_win_werfaultsecure_msmpeng_access/ │ │ │ ├── 387df17d-3b04-448f-8669-9e7fd5e5fd8c.evtx │ │ │ ├── 387df17d-3b04-448f-8669-9e7fd5e5fd8c.json │ │ │ └── info.yml │ │ ├── process_creation/ │ │ │ ├── proc_creation_win_amsi_registry_tampering/ │ │ │ │ ├── 7dbbcac2-57a0-45ac-b306-ff30a8bd2981.evtx │ │ │ │ ├── 7dbbcac2-57a0-45ac-b306-ff30a8bd2981.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_bitsadmin_download/ │ │ │ │ ├── d059842b-6b9d-4ed1-b5c3-5b89143c6ede.evtx │ │ │ │ ├── d059842b-6b9d-4ed1-b5c3-5b89143c6ede.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_bitsadmin_download_direct_ip/ │ │ │ │ ├── 99c840f2-2012-46fd-9141-c761987550ef.evtx │ │ │ │ ├── 99c840f2-2012-46fd-9141-c761987550ef.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_bitsadmin_download_file_sharing_domains/ │ │ │ │ ├── 8518ed3d-f7c9-4601-a26c-f361a4256a0c.evtx │ │ │ │ ├── 8518ed3d-f7c9-4601-a26c-f361a4256a0c.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_bitsadmin_download_susp_extensions/ │ │ │ │ ├── 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200.evtx │ │ │ │ ├── 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_bitsadmin_download_susp_targetfolder/ │ │ │ │ ├── 2ddef153-167b-4e89-86b6-757a9e65dcac.evtx │ │ │ │ ├── 2ddef153-167b-4e89-86b6-757a9e65dcac.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_browsers_chromium_headless_file_download/ │ │ │ │ ├── 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.evtx │ │ │ │ ├── 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_browsers_chromium_load_extension/ │ │ │ │ ├── 88d6e60c-759d-4ac1-a447-c0f1466c2d21.evtx │ │ │ │ ├── 88d6e60c-759d-4ac1-a447-c0f1466c2d21.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_browsers_chromium_mockbin_abuse/ │ │ │ │ ├── 1c526788-0abe-4713-862f-b520da5e5316.evtx │ │ │ │ ├── 1c526788-0abe-4713-862f-b520da5e5316.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_browsers_chromium_susp_load_extension/ │ │ │ │ ├── 27ba3207-dd30-4812-abbf-5d20c57d474e.evtx │ │ │ │ ├── 27ba3207-dd30-4812-abbf-5d20c57d474e.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_browsers_inline_file_download/ │ │ │ │ ├── 94771a71-ba41-4b6e-a757-b531372eaab6.evtx │ │ │ │ ├── 94771a71-ba41-4b6e-a757-b531372eaab6.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_browsers_tor_execution/ │ │ │ │ ├── 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.evtx │ │ │ │ ├── 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_certutil_certificate_installation/ │ │ │ │ ├── d2125259-ddea-4c1c-9c22-977eb5b29cf0.evtx │ │ │ │ ├── d2125259-ddea-4c1c-9c22-977eb5b29cf0.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_certutil_decode/ │ │ │ │ ├── cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.evtx │ │ │ │ ├── cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_certutil_download/ │ │ │ │ ├── 19b08b1c-861d-4e75-a1ef-ea0c1baf202b.evtx │ │ │ │ ├── 19b08b1c-861d-4e75-a1ef-ea0c1baf202b.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_certutil_download_direct_ip/ │ │ │ │ ├── 13e6fe51-d478-4c7e-b0f2-6da9b400a829.evtx │ │ │ │ ├── 13e6fe51-d478-4c7e-b0f2-6da9b400a829.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_certutil_download_file_sharing_domains/ │ │ │ │ ├── 42a5f1e7-9603-4f6d-97ae-3f37d130d794.evtx │ │ │ │ ├── 42a5f1e7-9603-4f6d-97ae-3f37d130d794.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_certutil_encode/ │ │ │ │ ├── e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.evtx │ │ │ │ ├── e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_certutil_encode_susp_extensions/ │ │ │ │ ├── ea0cdc3e-2239-4f26-a947-4e8f8224e464.evtx │ │ │ │ ├── ea0cdc3e-2239-4f26-a947-4e8f8224e464.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_certutil_encode_susp_location/ │ │ │ │ ├── 82a6714f-4899-4f16-9c1e-9a333544d4c3.evtx │ │ │ │ ├── 82a6714f-4899-4f16-9c1e-9a333544d4c3.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_certutil_export_pfx/ │ │ │ │ ├── 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.evtx │ │ │ │ ├── 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_certutil_ntlm_coercion/ │ │ │ │ ├── 6c6d9280-e6d0-4b9d-80ac-254701b64916.evtx │ │ │ │ ├── 6c6d9280-e6d0-4b9d-80ac-254701b64916.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_chcp_codepage_lookup/ │ │ │ │ ├── 7090adee-82e2-4269-bd59-80691e7c6338.evtx │ │ │ │ ├── 7090adee-82e2-4269-bd59-80691e7c6338.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_chcp_codepage_switch/ │ │ │ │ ├── c7942406-33dd-4377-a564-0f62db0593a3.evtx │ │ │ │ ├── c7942406-33dd-4377-a564-0f62db0593a3.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_cipher_overwrite_deleted_data/ │ │ │ │ ├── 4b046706-5789-4673-b111-66f25fe99534.evtx │ │ │ │ ├── 4b046706-5789-4673-b111-66f25fe99534.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_clip_execution/ │ │ │ │ ├── ddeff553-5233-4ae9-bbab-d64d2bd634be.evtx │ │ │ │ ├── ddeff553-5233-4ae9-bbab-d64d2bd634be.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_cmd_assoc_execution/ │ │ │ │ ├── 3d3aa6cd-6272-44d6-8afc-7e88dfef7061.evtx │ │ │ │ ├── 3d3aa6cd-6272-44d6-8afc-7e88dfef7061.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_cmd_dir_execution/ │ │ │ │ ├── 7c9340a9-e2ee-4e43-94c5-c54ebbea1006.evtx │ │ │ │ ├── 7c9340a9-e2ee-4e43-94c5-c54ebbea1006.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_cmd_launched_with_hidden_start_flag/ │ │ │ │ ├── 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d.evtx │ │ │ │ ├── 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_cmd_mklink_osk_cmd/ │ │ │ │ ├── e9b61244-893f-427c-b287-3e708f321c6b.evtx │ │ │ │ ├── e9b61244-893f-427c-b287-3e708f321c6b.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_cmd_rmdir_execution/ │ │ │ │ ├── 41ca393d-538c-408a-ac27-cf1e038be80c.evtx │ │ │ │ ├── 41ca393d-538c-408a-ac27-cf1e038be80c.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_cmdkey_adding_generic_creds/ │ │ │ │ ├── b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.evtx │ │ │ │ ├── b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_cmdkey_recon/ │ │ │ │ ├── 07f8bdc2-c9b3-472a-9817-5a670b872f53.evtx │ │ │ │ ├── 07f8bdc2-c9b3-472a-9817-5a670b872f53.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_conhost_headless_powershell/ │ │ │ │ ├── 056c7317-9a09-4bd4-9067-d051312752ea.evtx │ │ │ │ ├── 056c7317-9a09-4bd4-9067-d051312752ea.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_credential_guard_registry_tampering/ │ │ │ │ ├── c17d47b7-dcd6-4109-87eb-d1817bd4cbc9.evtx │ │ │ │ ├── c17d47b7-dcd6-4109-87eb-d1817bd4cbc9.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_curl_cookie_hijacking/ │ │ │ │ ├── 5a6e1e16-07de-48d8-8aae-faa766c05e88.evtx │ │ │ │ ├── 5a6e1e16-07de-48d8-8aae-faa766c05e88.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_curl_custom_user_agent/ │ │ │ │ ├── 85de1f22-d189-44e4-8239-dc276b45379b.evtx │ │ │ │ ├── 85de1f22-d189-44e4-8239-dc276b45379b.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_curl_download_direct_ip_exec/ │ │ │ │ ├── 9cc85849-3b02-4cb5-b371-3a1ff54f2218.evtx │ │ │ │ ├── 9cc85849-3b02-4cb5-b371-3a1ff54f2218.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_curl_download_direct_ip_susp_extensions/ │ │ │ │ ├── 5cb299fc-5fb1-4d07-b989-0644c68b6043.evtx │ │ │ │ ├── 5cb299fc-5fb1-4d07-b989-0644c68b6043.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_curl_download_susp_file_sharing_domains/ │ │ │ │ ├── 56454143-524f-49fb-b1c6-3fb8b1ad41fb.evtx │ │ │ │ ├── 56454143-524f-49fb-b1c6-3fb8b1ad41fb.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_curl_insecure_connection/ │ │ │ │ ├── cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.evtx │ │ │ │ ├── cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_curl_insecure_proxy_or_doh/ │ │ │ │ ├── 2c1486f5-02e8-4f86-9099-b97f2da4ed77.evtx │ │ │ │ ├── 2c1486f5-02e8-4f86-9099-b97f2da4ed77.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_curl_local_file_read/ │ │ │ │ ├── aa6f6ea6-0676-40dd-b510-6e46f02d8867.evtx │ │ │ │ ├── aa6f6ea6-0676-40dd-b510-6e46f02d8867.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_curl_susp_download/ │ │ │ │ ├── e218595b-bbe7-4ee5-8a96-f32a24ad3468.evtx │ │ │ │ ├── e218595b-bbe7-4ee5-8a96-f32a24ad3468.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_devcon_disable_vmci_driver/ │ │ │ │ ├── 85f520e7-6f5e-43ca-874c-222e5bf9c0de.evtx │ │ │ │ ├── 85f520e7-6f5e-43ca-874c-222e5bf9c0de.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_dirlister_execution/ │ │ │ │ ├── b4dc61f5-6cce-468e-a608-b48b469feaa2.evtx │ │ │ │ ├── b4dc61f5-6cce-468e-a608-b48b469feaa2.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_discovery_via_reg_queries/ │ │ │ │ ├── 0022869c-49f7-4ff2-ba03-85ac42ddac58.evtx │ │ │ │ ├── 0022869c-49f7-4ff2-ba03-85ac42ddac58.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_dism_remove/ │ │ │ │ ├── 43e32da2-fdd0-4156-90de-50dfd62636f9.evtx │ │ │ │ ├── 43e32da2-fdd0-4156-90de-50dfd62636f9.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_driverquery_recon/ │ │ │ │ ├── 9fc3072c-dc8f-4bf7-b231-18950000fadd.evtx │ │ │ │ ├── 9fc3072c-dc8f-4bf7-b231-18950000fadd.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_driverquery_usage/ │ │ │ │ ├── a20def93-0709-4eae-9bd2-31206e21e6b2.evtx │ │ │ │ ├── a20def93-0709-4eae-9bd2-31206e21e6b2.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_dsquery_domain_trust_discovery/ │ │ │ │ ├── 3bad990e-4848-4a78-9530-b427d854aac0.evtx │ │ │ │ ├── 3bad990e-4848-4a78-9530-b427d854aac0.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_dtrace_kernel_dump/ │ │ │ │ ├── 7124aebe-4cd7-4ccb-8df0-6d6b93c96795.evtx │ │ │ │ ├── 7124aebe-4cd7-4ccb-8df0-6d6b93c96795.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_explorer_folder_shortcut_via_shell_binary/ │ │ │ │ ├── c3d76afc-93df-461e-8e67-9b2bad3f2ac4.evtx │ │ │ │ ├── c3d76afc-93df-461e-8e67-9b2bad3f2ac4.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_findstr_gpp_passwords/ │ │ │ │ ├── 91a2c315-9ee6-4052-a853-6f6a8238f90d.evtx │ │ │ │ ├── 91a2c315-9ee6-4052-a853-6f6a8238f90d.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_findstr_lsass/ │ │ │ │ ├── fe63010f-8823-4864-a96b-a7b4a0f7b929.evtx │ │ │ │ ├── fe63010f-8823-4864-a96b-a7b4a0f7b929.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_findstr_recon_everyone/ │ │ │ │ ├── 47e4bab7-c626-47dc-967b-255608c9a920.evtx │ │ │ │ ├── 47e4bab7-c626-47dc-967b-255608c9a920.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_findstr_recon_pipe_output/ │ │ │ │ ├── ccb5742c-c248-4982-8c5c-5571b9275ad3.evtx │ │ │ │ ├── ccb5742c-c248-4982-8c5c-5571b9275ad3.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_findstr_security_keyword_lookup/ │ │ │ │ ├── 4fe074b4-b833-4081-8f24-7dcfeca72b42.evtx │ │ │ │ ├── 4fe074b4-b833-4081-8f24-7dcfeca72b42.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_finger_execution/ │ │ │ │ ├── af491bca-e752-4b44-9c86-df5680533dbc.evtx │ │ │ │ ├── af491bca-e752-4b44-9c86-df5680533dbc.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_github_self_hosted_runner/ │ │ │ │ ├── 5bac7a56-da88-4c27-922e-c81e113b20cb.evtx │ │ │ │ ├── 5bac7a56-da88-4c27-922e-c81e113b20cb.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_gpresult_execution/ │ │ │ │ ├── e56d3073-83ff-4021-90fe-c658e0709e72.evtx │ │ │ │ ├── e56d3073-83ff-4021-90fe-c658e0709e72.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_hh_chm_execution/ │ │ │ │ ├── 68c8acb4-1b60-4890-8e82-3ddf7a6dba84.evtx │ │ │ │ ├── 68c8acb4-1b60-4890-8e82-3ddf7a6dba84.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_hktl_edr_freeze/ │ │ │ │ ├── c598cc0c-9e70-4852-b9eb-8921af79f598.evtx │ │ │ │ ├── c598cc0c-9e70-4852-b9eb-8921af79f598.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_hktl_wsass/ │ │ │ │ ├── 589ac73f-8e12-409c-964e-31a2f5775ae2.evtx │ │ │ │ ├── 589ac73f-8e12-409c-964e-31a2f5775ae2.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_hvci_registry_tampering/ │ │ │ │ ├── 6225c53a-a96e-4235-b28f-8d7997cd96eb.evtx │ │ │ │ ├── 6225c53a-a96e-4235-b28f-8d7997cd96eb.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_pua_adfind_enumeration/ │ │ │ │ ├── 455b9d50-15a1-4b99-853f-8d37655a4c1b.evtx │ │ │ │ ├── 455b9d50-15a1-4b99-853f-8d37655a4c1b.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_pua_adfind_execution/ │ │ │ │ ├── 514e7e3e-b3b4-4a67-af60-be20f139198b.evtx │ │ │ │ ├── 514e7e3e-b3b4-4a67-af60-be20f139198b.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_pua_adfind_susp_usage/ │ │ │ │ ├── 9a132afa-654e-11eb-ae93-0242ac130002.evtx │ │ │ │ ├── 9a132afa-654e-11eb-ae93-0242ac130002.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_pua_advanced_ip_scanner/ │ │ │ │ ├── bef37fa2-f205-4a7b-b484-0759bfd5f86f.evtx │ │ │ │ ├── bef37fa2-f205-4a7b-b484-0759bfd5f86f.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_pua_advanced_port_scanner/ │ │ │ │ ├── 54773c5f-f1cc-4703-9126-2f797d96a69d.evtx │ │ │ │ ├── 54773c5f-f1cc-4703-9126-2f797d96a69d.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_pua_advancedrun/ │ │ │ │ ├── d2b749ee-4225-417e-b20e-a8d2193cbb84.evtx │ │ │ │ ├── d2b749ee-4225-417e-b20e-a8d2193cbb84.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_pua_advancedrun_priv_user/ │ │ │ │ ├── fa00b701-44c6-4679-994d-5a18afa8a707.evtx │ │ │ │ ├── fa00b701-44c6-4679-994d-5a18afa8a707.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_pua_kdu_driver_tool/ │ │ │ │ ├── e76ca062-4de0-4d79-8d90-160a0d335eca.evtx │ │ │ │ ├── e76ca062-4de0-4d79-8d90-160a0d335eca.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_reg_add_run_key/ │ │ │ │ ├── de587dce-915e-4218-aac4-835ca6af6f70.evtx │ │ │ │ ├── de587dce-915e-4218-aac4-835ca6af6f70.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_reg_add_safeboot/ │ │ │ │ ├── d7662ff6-9e97-4596-a61d-9839e32dee8d.evtx │ │ │ │ ├── d7662ff6-9e97-4596-a61d-9839e32dee8d.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_reg_system_language_discovery/ │ │ │ │ ├── c43a5405-e8e1-4221-9ac9-dbe3fa14e886.evtx │ │ │ │ ├── c43a5405-e8e1-4221-9ac9-dbe3fa14e886.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_registry_special_accounts_hide_user/ │ │ │ │ ├── 9ec9fb1b-e059-4489-9642-f270c207923d.evtx │ │ │ │ ├── 9ec9fb1b-e059-4489-9642-f270c207923d.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_renamed_adfind/ │ │ │ │ ├── df55196f-f105-44d3-a675-e9dfb6cc2f2b.evtx │ │ │ │ ├── df55196f-f105-44d3-a675-e9dfb6cc2f2b.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_renamed_binary/ │ │ │ │ ├── 36480ae1-a1cb-4eaa-a0d6-29801d7e9142.evtx │ │ │ │ ├── 36480ae1-a1cb-4eaa-a0d6-29801d7e9142.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_renamed_binary_highly_relevant/ │ │ │ │ ├── 0ba1da6d-b6ce-4366-828c-18826c9de23e.evtx │ │ │ │ ├── 0ba1da6d-b6ce-4366-828c-18826c9de23e.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_renamed_curl/ │ │ │ │ ├── 7530cd3d-7671-43e3-b209-976966f6ea48.evtx │ │ │ │ ├── 7530cd3d-7671-43e3-b209-976966f6ea48.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_renamed_ftp/ │ │ │ │ ├── 277a4393-446c-449a-b0ed-7fdc7795244c.evtx │ │ │ │ ├── 277a4393-446c-449a-b0ed-7fdc7795244c.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_renamed_msdt/ │ │ │ │ ├── bd1c6866-65fc-44b2-be51-5588fcff82b9.evtx │ │ │ │ ├── bd1c6866-65fc-44b2-be51-5588fcff82b9.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_sc_stop_service/ │ │ │ │ ├── 81bcb81b-5b1f-474b-b373-52c871aaa7b1.evtx │ │ │ │ ├── 81bcb81b-5b1f-474b-b373-52c871aaa7b1.json │ │ │ │ ├── 81bcb81b-5b1f-474b-b373-52c871aaa7b1.jsoncls │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_susp_eventlog_content_recon/ │ │ │ │ ├── beaa66d6-aa1b-4e3c-80f5-e0145369bfaf.evtx │ │ │ │ ├── beaa66d6-aa1b-4e3c-80f5-e0145369bfaf.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_susp_system_exe_anomaly/ │ │ │ │ ├── e4a6b256-3e47-40fc-89d2-7a477edd6915.evtx │ │ │ │ ├── e4a6b256-3e47-40fc-89d2-7a477edd6915.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_svchost_masqueraded_execution/ │ │ │ │ ├── be58d2e2-06c8-4f58-b666-b99f6dc3b6cd.evtx │ │ │ │ ├── be58d2e2-06c8-4f58-b666-b99f6dc3b6cd.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_user_shell_folders_registry_modification/ │ │ │ │ ├── 8f3ab69a-aa22-4943-aa58-e0a52fdf6818.evtx │ │ │ │ ├── 8f3ab69a-aa22-4943-aa58-e0a52fdf6818.json │ │ │ │ └── info.yml │ │ │ ├── proc_creation_win_vulnerable_driver_blocklist_registry_tampering/ │ │ │ │ ├── 22154f0e-5132-4a54-aa78-cc62f6def531.evtx │ │ │ │ ├── 22154f0e-5132-4a54-aa78-cc62f6def531.json │ │ │ │ └── info.yml │ │ │ └── proc_creation_win_werfaultsecure_abuse/ │ │ │ ├── 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.evtx │ │ │ ├── 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.json │ │ │ └── info.yml │ │ ├── registry/ │ │ │ ├── registry_delete/ │ │ │ │ ├── registry_delete_disable_credential_guard/ │ │ │ │ │ ├── d645ef86-2396-48a1-a2b6-b629ca3f57ff.evtx │ │ │ │ │ ├── d645ef86-2396-48a1-a2b6-b629ca3f57ff.json │ │ │ │ │ └── info.yml │ │ │ │ ├── registry_delete_removal_amsi_registry_key/ │ │ │ │ │ ├── 41d1058a-aea7-4952-9293-29eaaf516465.evtx │ │ │ │ │ ├── 41d1058a-aea7-4952-9293-29eaaf516465.json │ │ │ │ │ └── info.yml │ │ │ │ ├── registry_delete_runmru/ │ │ │ │ │ ├── 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55.evtx │ │ │ │ │ ├── 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55.json │ │ │ │ │ └── info.yml │ │ │ │ ├── registry_delete_schtasks_hide_task_via_index_value_removal/ │ │ │ │ │ ├── 526cc8bc-1cdc-48ad-8b26-f19bff969cec.evtx │ │ │ │ │ ├── 526cc8bc-1cdc-48ad-8b26-f19bff969cec.json │ │ │ │ │ └── info.yml │ │ │ │ └── registry_delete_schtasks_hide_task_via_sd_value_removal/ │ │ │ │ ├── acd74772-5f88-45c7-956b-6a7b36c294d2.evtx │ │ │ │ ├── acd74772-5f88-45c7-956b-6a7b36c294d2.json │ │ │ │ └── info.yml │ │ │ ├── registry_event/ │ │ │ │ └── registry_event_add_local_hidden_user/ │ │ │ │ ├── 460479f3-80b7-42da-9c43-2cc1d54dbccd.evtx │ │ │ │ ├── 460479f3-80b7-42da-9c43-2cc1d54dbccd.json │ │ │ │ └── info.yml │ │ │ └── registry_set/ │ │ │ ├── registry_set_add_load_service_in_safe_mode/ │ │ │ │ ├── 1547e27c-3974-43e2-a7d7-7f484fb928ec.evtx │ │ │ │ ├── 1547e27c-3974-43e2-a7d7-7f484fb928ec.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_add_port_monitor/ │ │ │ │ ├── 944e8941-f6f6-4ee8-ac05-1c224e923c0e.evtx │ │ │ │ ├── 944e8941-f6f6-4ee8-ac05-1c224e923c0e.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_allow_rdp_remote_assistance_feature/ │ │ │ │ ├── 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b.evtx │ │ │ │ ├── 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_amsi_disable/ │ │ │ │ ├── aa37cbb0-da36-42cb-a90f-fdf216fc7467.evtx │ │ │ │ ├── aa37cbb0-da36-42cb-a90f-fdf216fc7467.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_bypass_uac_using_delegateexecute/ │ │ │ │ ├── 46dd5308-4572-4d12-aa43-8938f0184d4f.evtx │ │ │ │ ├── 46dd5308-4572-4d12-aa43-8938f0184d4f.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_bypass_uac_using_eventviewer/ │ │ │ │ ├── 674202d0-b22a-4af4-ae5f-2eda1f3da1af.evtx │ │ │ │ ├── 674202d0-b22a-4af4-ae5f-2eda1f3da1af.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_bypass_uac_using_silentcleanup_task/ │ │ │ │ ├── 724ea201-6514-4f38-9739-e5973c34f49a.evtx │ │ │ │ ├── 724ea201-6514-4f38-9739-e5973c34f49a.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_change_rdp_port/ │ │ │ │ ├── 509e84b9-a71a-40e0-834f-05470369bd1e.evtx │ │ │ │ ├── 509e84b9-a71a-40e0-834f-05470369bd1e.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_change_security_zones/ │ │ │ │ ├── 45e112d0-7759-4c2a-aa36-9f8fb79d3393.evtx │ │ │ │ ├── 45e112d0-7759-4c2a-aa36-9f8fb79d3393.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_credential_guard_disabled/ │ │ │ │ ├── 73921b9c-cafd-4446-b0c6-fdb0ace42bc0.evtx │ │ │ │ ├── 73921b9c-cafd-4446-b0c6-fdb0ace42bc0.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/ │ │ │ │ ├── 8b7273a4-ba5d-4d8a-b04f-11f2900d043a.evtx │ │ │ │ ├── 8b7273a4-ba5d-4d8a-b04f-11f2900d043a.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_disable_administrative_share/ │ │ │ │ ├── c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e.evtx │ │ │ │ ├── c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_disable_defender_firewall/ │ │ │ │ ├── 974515da-6cc5-4c95-ae65-f97f9150ec7f.evtx │ │ │ │ ├── 974515da-6cc5-4c95-ae65-f97f9150ec7f.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_disable_security_center_notifications/ │ │ │ │ ├── 3ae1a046-f7db-439d-b7ce-b8b366b81fa6.evtx │ │ │ │ ├── 3ae1a046-f7db-439d-b7ce-b8b366b81fa6.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_persistence_amsi_providers/ │ │ │ │ ├── 33efc23c-6ea2-4503-8cfe-bdf82ce8f705.evtx │ │ │ │ ├── 33efc23c-6ea2-4503-8cfe-bdf82ce8f705.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_persistence_com_key_linking/ │ │ │ │ ├── 9b0f8a61-91b2-464f-aceb-0527e0a45020.evtx │ │ │ │ ├── 9b0f8a61-91b2-464f-aceb-0527e0a45020.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_persistence_logon_scripts_userinitmprlogonscript/ │ │ │ │ ├── 9ace0707-b560-49b8-b6ca-5148b42f39fb.evtx │ │ │ │ ├── 9ace0707-b560-49b8-b6ca-5148b42f39fb.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_powershell_logging_disabled/ │ │ │ │ ├── fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7.evtx │ │ │ │ ├── fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_pua_sysinternals_execution_via_eula/ │ │ │ │ ├── 25ffa65d-76d8-4da5-a832-3f2b0136e133.evtx │ │ │ │ ├── 25ffa65d-76d8-4da5-a832-3f2b0136e133.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_pua_sysinternals_renamed_execution_via_eula/ │ │ │ │ ├── f50f3c09-557d-492d-81db-9064a8d4e211.evtx │ │ │ │ ├── f50f3c09-557d-492d-81db-9064a8d4e211.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_pua_sysinternals_susp_execution_via_eula/ │ │ │ │ ├── c7da8edc-49ae-45a2-9e61-9fd860e4e73d.evtx │ │ │ │ ├── c7da8edc-49ae-45a2-9e61-9fd860e4e73d.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_special_accounts/ │ │ │ │ ├── f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd.evtx │ │ │ │ ├── f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd.json │ │ │ │ └── info.yml │ │ │ ├── registry_set_susp_user_shell_folders/ │ │ │ │ ├── 9c226817-8dc9-46c2-a58d-66655aafd7dc.evtx │ │ │ │ ├── 9c226817-8dc9-46c2-a58d-66655aafd7dc.json │ │ │ │ └── info.yml │ │ │ └── registry_set_vulnerable_driver_blocklist_disable/ │ │ │ ├── d526c60a-e236-4011-b165-831ffa52ab70.evtx │ │ │ ├── d526c60a-e236-4011-b165-831ffa52ab70.json │ │ │ └── info.yml │ │ └── sysmon/ │ │ └── sysmon_config_modification/ │ │ ├── 8ac03a65-6c84-4116-acad-dc1558ff7a77.evtx │ │ ├── 8ac03a65-6c84-4116-acad-dc1558ff7a77.json │ │ └── info.yml │ ├── rules-emerging-threats/ │ │ └── 2025/ │ │ ├── Exploits/ │ │ │ └── CVE-2025-55182/ │ │ │ └── proc_creation_win_exploit_cve_2025_55182_susp_nodejs_server_child_process/ │ │ │ ├── 271de298-cc0e-4842-acd8-079a0a99ea65.evtx │ │ │ ├── 271de298-cc0e-4842-acd8-079a0a99ea65.json │ │ │ └── info.yml │ │ └── Malware/ │ │ └── Grixba/ │ │ └── proc_creation_win_malware_grixba_recon/ │ │ ├── af688c76-4ce4-4309-bfdd-e896f01acf27.evtx │ │ ├── af688c76-4ce4-4309-bfdd-e896f01acf27.json │ │ └── info.yml │ └── rules-threat-hunting/ │ └── windows/ │ └── image_load/ │ └── image_load_win_werfaultsecure_dbgcore_dbghelp_load/ │ ├── 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.evtx │ ├── 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.json │ └── info.yml ├── rules/ │ ├── README.md │ ├── application/ │ │ ├── bitbucket/ │ │ │ └── audit/ │ │ │ ├── bitbucket_audit_full_data_export_triggered.yml │ │ │ ├── bitbucket_audit_global_permissions_change_detected.yml │ │ │ ├── bitbucket_audit_global_secret_scanning_rule_deleted.yml │ │ │ ├── bitbucket_audit_global_ssh_settings_change_detected.yml │ │ │ ├── bitbucket_audit_log_configuration_update_detected.yml │ │ │ ├── bitbucket_audit_project_secret_scanning_allowlist_added.yml │ │ │ ├── bitbucket_audit_secret_scanning_exempt_repository_detected.yml │ │ │ ├── bitbucket_audit_secret_scanning_rule_deleted.yml │ │ │ ├── bitbucket_audit_unauthorized_access_detected.yml │ │ │ ├── bitbucket_audit_unauthorized_full_data_export_triggered.yml │ │ │ ├── bitbucket_audit_user_details_export_attempt_detected.yml │ │ │ ├── bitbucket_audit_user_login_failure_detected.yml │ │ │ ├── bitbucket_audit_user_login_failure_via_ssh_detected.yml │ │ │ └── bitbucket_audit_user_permissions_export_attempt_detected.yml │ │ ├── django/ │ │ │ └── appframework_django_exceptions.yml │ │ ├── github/ │ │ │ └── audit/ │ │ │ ├── github_delete_action_invoked.yml │ │ │ ├── github_disable_high_risk_configuration.yml │ │ │ ├── github_disabled_outdated_dependency_or_vulnerability.yml │ │ │ ├── github_fork_private_repos_enabled_or_cleared.yml │ │ │ ├── github_new_org_member.yml │ │ │ ├── github_new_secret_created.yml │ │ │ ├── github_outside_collaborator_detected.yml │ │ │ ├── github_pages_site_changed_to_public.yml │ │ │ ├── github_push_protection_bypass_detected.yml │ │ │ ├── github_push_protection_disabled.yml │ │ │ ├── github_repo_or_org_transferred.yml │ │ │ ├── github_repository_archive_status_changed.yml │ │ │ ├── github_secret_scanning_feature_disabled.yml │ │ │ ├── github_self_hosted_runner_changes_detected.yml │ │ │ └── github_ssh_certificate_config_changed.yml │ │ ├── jvm/ │ │ │ ├── java_jndi_injection_exploitation_attempt.yml │ │ │ ├── java_local_file_read.yml │ │ │ ├── java_ognl_injection_exploitation_attempt.yml │ │ │ ├── java_rce_exploitation_attempt.yml │ │ │ └── java_xxe_exploitation_attempt.yml │ │ ├── kubernetes/ │ │ │ └── audit/ │ │ │ ├── kubernetes_audit_change_admission_controller.yml │ │ │ ├── kubernetes_audit_cronjob_modification.yml │ │ │ ├── kubernetes_audit_deployment_deleted.yml │ │ │ ├── kubernetes_audit_events_deleted.yml │ │ │ ├── kubernetes_audit_exec_into_container.yml │ │ │ ├── kubernetes_audit_hostpath_mount.yml │ │ │ ├── kubernetes_audit_pod_in_system_namespace.yml │ │ │ ├── kubernetes_audit_privileged_pod_creation.yml │ │ │ ├── kubernetes_audit_rbac_permisions_listing.yml │ │ │ ├── kubernetes_audit_rolebinding_modification.yml │ │ │ ├── kubernetes_audit_secrets_enumeration.yml │ │ │ ├── kubernetes_audit_secrets_modified_or_deleted.yml │ │ │ ├── kubernetes_audit_serviceaccount_creation.yml │ │ │ ├── kubernetes_audit_sidecar_injection.yml │ │ │ └── kubernetes_audit_unauthorized_unauthenticated_actions.yml │ │ ├── nodejs/ │ │ │ └── nodejs_rce_exploitation_attempt.yml │ │ ├── opencanary/ │ │ │ ├── opencanary_ftp_login_attempt.yml │ │ │ ├── opencanary_git_clone_request.yml │ │ │ ├── opencanary_http_get.yml │ │ │ ├── opencanary_http_post_login_attempt.yml │ │ │ ├── opencanary_httpproxy_login_attempt.yml │ │ │ ├── opencanary_mssql_login_sqlauth.yml │ │ │ ├── opencanary_mssql_login_winauth.yml │ │ │ ├── opencanary_mysql_login_attempt.yml │ │ │ ├── opencanary_ntp_monlist.yml │ │ │ ├── opencanary_portscan_nmap_fin_scan.yaml │ │ │ ├── opencanary_portscan_nmap_null_scan.yaml │ │ │ ├── opencanary_portscan_nmap_os_scan.yaml │ │ │ ├── opencanary_portscan_nmap_xmas_scan.yaml │ │ │ ├── opencanary_portscan_syn_scan.yaml │ │ │ ├── opencanary_rdp_connection_attempt.yaml │ │ │ ├── opencanary_redis_command.yml │ │ │ ├── opencanary_sip_request.yml │ │ │ ├── opencanary_smb_file_open.yml │ │ │ ├── opencanary_snmp_cmd.yml │ │ │ ├── opencanary_ssh_login_attempt.yml │ │ │ ├── opencanary_ssh_new_connection.yml │ │ │ ├── opencanary_telnet_login_attempt.yml │ │ │ ├── opencanary_tftp_request.yml │ │ │ └── opencanary_vnc_connection_attempt.yml │ │ ├── python/ │ │ │ └── app_python_sql_exceptions.yml │ │ ├── rpc_firewall/ │ │ │ ├── rpc_firewall_atsvc_lateral_movement.yml │ │ │ ├── rpc_firewall_atsvc_recon.yml │ │ │ ├── rpc_firewall_dcsync_attack.yml │ │ │ ├── rpc_firewall_efs_abuse.yml │ │ │ ├── rpc_firewall_eventlog_recon.yml │ │ │ ├── rpc_firewall_itaskschedulerservice_lateral_movement.yml │ │ │ ├── rpc_firewall_itaskschedulerservice_recon.yml │ │ │ ├── rpc_firewall_printing_lateral_movement.yml │ │ │ ├── rpc_firewall_remote_dcom_or_wmi.yml │ │ │ ├── rpc_firewall_remote_registry_lateral_movement.yml │ │ │ ├── rpc_firewall_remote_registry_recon.yml │ │ │ ├── rpc_firewall_remote_server_service_abuse.yml │ │ │ ├── rpc_firewall_remote_service_lateral_movement.yml │ │ │ ├── rpc_firewall_sasec_lateral_movement.yml │ │ │ ├── rpc_firewall_sasec_recon.yml │ │ │ ├── rpc_firewall_sharphound_recon_account.yml │ │ │ └── rpc_firewall_sharphound_recon_sessions.yml │ │ ├── ruby/ │ │ │ └── appframework_ruby_on_rails_exceptions.yml │ │ ├── spring/ │ │ │ ├── spring_application_exceptions.yml │ │ │ └── spring_spel_injection.yml │ │ ├── sql/ │ │ │ └── app_sqlinjection_errors.yml │ │ └── velocity/ │ │ └── velocity_ssti_injection.yml │ ├── category/ │ │ ├── antivirus/ │ │ │ ├── av_exploiting.yml │ │ │ ├── av_hacktool.yml │ │ │ ├── av_password_dumper.yml │ │ │ ├── av_ransomware.yml │ │ │ ├── av_relevant_files.yml │ │ │ └── av_webshell.yml │ │ └── database/ │ │ └── db_anomalous_query.yml │ ├── cloud/ │ │ ├── aws/ │ │ │ └── cloudtrail/ │ │ │ ├── aws_cloudtrail_bucket_deleted.yml │ │ │ ├── aws_cloudtrail_console_login_failed_authentication.yml │ │ │ ├── aws_cloudtrail_console_login_success_without_mfa.yml │ │ │ ├── aws_cloudtrail_disable_logging.yml │ │ │ ├── aws_cloudtrail_guardduty_detector_deleted_or_updated.yml │ │ │ ├── aws_cloudtrail_imds_malicious_usage.yml │ │ │ ├── aws_cloudtrail_new_acl_entries.yml │ │ │ ├── aws_cloudtrail_new_route_added.yml │ │ │ ├── aws_cloudtrail_pua_trufflehog.yml │ │ │ ├── aws_cloudtrail_region_enabled.yml │ │ │ ├── aws_cloudtrail_security_group_change_ingress_egress.yml │ │ │ ├── aws_cloudtrail_security_group_change_loadbalancer.yml │ │ │ ├── aws_cloudtrail_security_group_change_rds.yml │ │ │ ├── aws_cloudtrail_ssm_malicious_usage.yml │ │ │ ├── aws_cloudtrail_vpc_flow_logs_deleted.yml │ │ │ ├── aws_config_disable_recording.yml │ │ │ ├── aws_console_getsignintoken.yml │ │ │ ├── aws_delete_identity.yml │ │ │ ├── aws_delete_saml_provider.yml │ │ │ ├── aws_disable_bucket_versioning.yml │ │ │ ├── aws_ec2_disable_encryption.yml │ │ │ ├── aws_ec2_import_key_pair_activity.yml │ │ │ ├── aws_ec2_startup_script_change.yml │ │ │ ├── aws_ec2_vm_export_failure.yml │ │ │ ├── aws_ecs_task_definition_cred_endpoint_query.yml │ │ │ ├── aws_efs_fileshare_modified_or_deleted.yml │ │ │ ├── aws_efs_fileshare_mount_modified_or_deleted.yml │ │ │ ├── aws_eks_cluster_created_or_deleted.yml │ │ │ ├── aws_elasticache_security_group_created.yml │ │ │ ├── aws_elasticache_security_group_modified_or_deleted.yml │ │ │ ├── aws_enum_buckets.yml │ │ │ ├── aws_guardduty_disruption.yml │ │ │ ├── aws_iam_backdoor_users_keys.yml │ │ │ ├── aws_iam_s3browser_loginprofile_creation.yml │ │ │ ├── aws_iam_s3browser_templated_s3_bucket_policy_creation.yml │ │ │ ├── aws_iam_s3browser_user_or_accesskey_creation.yml │ │ │ ├── aws_kms_import_key_material.yml │ │ │ ├── aws_lambda_function_url.yml │ │ │ ├── aws_new_lambda_layer_attached.yml │ │ │ ├── aws_passed_role_to_glue_development_endpoint.yml │ │ │ ├── aws_rds_change_master_password.yml │ │ │ ├── aws_rds_dbcluster_actions.yml │ │ │ ├── aws_rds_public_db_restore.yml │ │ │ ├── aws_root_account_usage.yml │ │ │ ├── aws_route_53_domain_transferred_lock_disabled.yml │ │ │ ├── aws_route_53_domain_transferred_to_another_account.yml │ │ │ ├── aws_s3_data_management_tampering.yml │ │ │ ├── aws_securityhub_finding_evasion.yml │ │ │ ├── aws_snapshot_backup_exfiltration.yml │ │ │ ├── aws_sso_idp_change.yml │ │ │ ├── aws_sts_assumerole_misuse.yml │ │ │ ├── aws_sts_getcalleridentity_trufflehog.yml │ │ │ ├── aws_sts_getsessiontoken_misuse.yml │ │ │ ├── aws_susp_saml_activity.yml │ │ │ └── aws_update_login_profile.yml │ │ ├── azure/ │ │ │ ├── activity_logs/ │ │ │ │ ├── azure_aadhybridhealth_adfs_new_server.yml │ │ │ │ ├── azure_aadhybridhealth_adfs_service_delete.yml │ │ │ │ ├── azure_ad_user_added_to_admin_role.yml │ │ │ │ ├── azure_application_deleted.yml │ │ │ │ ├── azure_application_gateway_modified_or_deleted.yml │ │ │ │ ├── azure_application_security_group_modified_or_deleted.yml │ │ │ │ ├── azure_container_registry_created_or_deleted.yml │ │ │ │ ├── azure_creating_number_of_resources_detection.yml │ │ │ │ ├── azure_device_no_longer_managed_or_compliant.yml │ │ │ │ ├── azure_device_or_configuration_modified_or_deleted.yml │ │ │ │ ├── azure_dns_zone_modified_or_deleted.yml │ │ │ │ ├── azure_firewall_modified_or_deleted.yml │ │ │ │ ├── azure_firewall_rule_collection_modified_or_deleted.yml │ │ │ │ ├── azure_granting_permission_detection.yml │ │ │ │ ├── azure_keyvault_key_modified_or_deleted.yml │ │ │ │ ├── azure_keyvault_modified_or_deleted.yml │ │ │ │ ├── azure_keyvault_secrets_modified_or_deleted.yml │ │ │ │ ├── azure_kubernetes_admission_controller.yml │ │ │ │ ├── azure_kubernetes_cluster_created_or_deleted.yml │ │ │ │ ├── azure_kubernetes_cronjob.yml │ │ │ │ ├── azure_kubernetes_events_deleted.yml │ │ │ │ ├── azure_kubernetes_network_policy_change.yml │ │ │ │ ├── azure_kubernetes_pods_deleted.yml │ │ │ │ ├── azure_kubernetes_role_access.yml │ │ │ │ ├── azure_kubernetes_rolebinding_modified_or_deleted.yml │ │ │ │ ├── azure_kubernetes_secret_or_config_object_access.yml │ │ │ │ ├── azure_kubernetes_service_account_modified_or_deleted.yml │ │ │ │ ├── azure_mfa_disabled.yml │ │ │ │ ├── azure_network_firewall_policy_modified_or_deleted.yml │ │ │ │ ├── azure_network_firewall_rule_modified_or_deleted.yml │ │ │ │ ├── azure_network_p2s_vpn_modified_or_deleted.yml │ │ │ │ ├── azure_network_security_modified_or_deleted.yml │ │ │ │ ├── azure_network_virtual_device_modified_or_deleted.yml │ │ │ │ ├── azure_new_cloudshell_created.yml │ │ │ │ ├── azure_owner_removed_from_application_or_service_principal.yml │ │ │ │ ├── azure_rare_operations.yml │ │ │ │ ├── azure_service_principal_created.yml │ │ │ │ ├── azure_service_principal_removed.yml │ │ │ │ ├── azure_subscription_permissions_elevation_via_activitylogs.yml │ │ │ │ ├── azure_suppression_rule_created.yml │ │ │ │ ├── azure_virtual_network_modified_or_deleted.yml │ │ │ │ └── azure_vpn_connection_modified_or_deleted.yml │ │ │ ├── audit_logs/ │ │ │ │ ├── azure_aad_secops_ca_policy_removedby_bad_actor.yml │ │ │ │ ├── azure_aad_secops_ca_policy_updatedby_bad_actor.yml │ │ │ │ ├── azure_aad_secops_new_ca_policy_addedby_bad_actor.yml │ │ │ │ ├── azure_ad_account_created_deleted.yml │ │ │ │ ├── azure_ad_bitlocker_key_retrieval.yml │ │ │ │ ├── azure_ad_certificate_based_authencation_enabled.yml │ │ │ │ ├── azure_ad_device_registration_policy_changes.yml │ │ │ │ ├── azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml │ │ │ │ ├── azure_ad_new_root_ca_added.yml │ │ │ │ ├── azure_ad_users_added_to_device_admin_roles.yml │ │ │ │ ├── azure_app_appid_uri_changes.yml │ │ │ │ ├── azure_app_credential_added.yml │ │ │ │ ├── azure_app_delegated_permissions_all_users.yml │ │ │ │ ├── azure_app_end_user_consent.yml │ │ │ │ ├── azure_app_end_user_consent_blocked.yml │ │ │ │ ├── azure_app_owner_added.yml │ │ │ │ ├── azure_app_permissions_msft.yml │ │ │ │ ├── azure_app_privileged_permissions.yml │ │ │ │ ├── azure_app_role_added.yml │ │ │ │ ├── azure_app_uri_modifications.yml │ │ │ │ ├── azure_auditlogs_laps_credential_dumping.yml │ │ │ │ ├── azure_change_to_authentication_method.yml │ │ │ │ ├── azure_federation_modified.yml │ │ │ │ ├── azure_group_user_addition_ca_modification.yml │ │ │ │ ├── azure_group_user_removal_ca_modification.yml │ │ │ │ ├── azure_guest_invite_failure.yml │ │ │ │ ├── azure_guest_to_member.yml │ │ │ │ ├── azure_pim_activation_approve_deny.yml │ │ │ │ ├── azure_pim_alerts_disabled.yml │ │ │ │ ├── azure_pim_change_settings.yml │ │ │ │ ├── azure_priviledged_role_assignment_add.yml │ │ │ │ ├── azure_priviledged_role_assignment_bulk_change.yml │ │ │ │ ├── azure_privileged_account_creation.yml │ │ │ │ ├── azure_subscription_permissions_elevation_via_auditlogs.yml │ │ │ │ ├── azure_tap_added.yml │ │ │ │ ├── azure_update_risk_and_mfa_registration_policy.yml │ │ │ │ ├── azure_user_account_mfa_disable.yml │ │ │ │ └── azure_user_password_change.yml │ │ │ ├── identity_protection/ │ │ │ │ ├── azure_identity_protection_anomalous_token.yml │ │ │ │ ├── azure_identity_protection_anomalous_user.yml │ │ │ │ ├── azure_identity_protection_anonymous_ip_activity.yml │ │ │ │ ├── azure_identity_protection_anonymous_ip_address.yml │ │ │ │ ├── azure_identity_protection_atypical_travel.yml │ │ │ │ ├── azure_identity_protection_impossible_travel.yml │ │ │ │ ├── azure_identity_protection_inbox_forwarding_rule.yml │ │ │ │ ├── azure_identity_protection_inbox_manipulation.yml │ │ │ │ ├── azure_identity_protection_leaked_credentials.yml │ │ │ │ ├── azure_identity_protection_malicious_ip_address.yml │ │ │ │ ├── azure_identity_protection_malicious_ip_address_suspicious.yml │ │ │ │ ├── azure_identity_protection_malware_linked_ip.yml │ │ │ │ ├── azure_identity_protection_new_coutry_region.yml │ │ │ │ ├── azure_identity_protection_password_spray.yml │ │ │ │ ├── azure_identity_protection_prt_access.yml │ │ │ │ ├── azure_identity_protection_suspicious_browser.yml │ │ │ │ ├── azure_identity_protection_threat_intel.yml │ │ │ │ ├── azure_identity_protection_token_issuer_anomaly.yml │ │ │ │ └── azure_identity_protection_unfamilar_sign_in.yml │ │ │ ├── privileged_identity_management/ │ │ │ │ ├── azure_pim_account_stale.yml │ │ │ │ ├── azure_pim_invalid_license.yml │ │ │ │ ├── azure_pim_role_assigned_outside_of_pim.yml │ │ │ │ ├── azure_pim_role_frequent_activation.yml │ │ │ │ ├── azure_pim_role_no_mfa_required.yml │ │ │ │ ├── azure_pim_role_not_used.yml │ │ │ │ └── azure_pim_too_many_global_admins.yml │ │ │ └── signin_logs/ │ │ │ ├── azure_account_lockout.yml │ │ │ ├── azure_ad_auth_failure_increase.yml │ │ │ ├── azure_ad_auth_sucess_increase.yml │ │ │ ├── azure_ad_auth_to_important_apps_using_single_factor_auth.yml │ │ │ ├── azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml │ │ │ ├── azure_ad_azurehound_discovery.yml │ │ │ ├── azure_ad_device_registration_or_join_without_mfa.yml │ │ │ ├── azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml │ │ │ ├── azure_ad_only_single_factor_auth_required.yml │ │ │ ├── azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml │ │ │ ├── azure_ad_sign_ins_from_noncompliant_devices.yml │ │ │ ├── azure_ad_sign_ins_from_unknown_devices.yml │ │ │ ├── azure_ad_suspicious_signin_bypassing_mfa.yml │ │ │ ├── azure_app_device_code_authentication.yml │ │ │ ├── azure_app_ropc_authentication.yml │ │ │ ├── azure_blocked_account_attempt.yml │ │ │ ├── azure_conditional_access_failure.yml │ │ │ ├── azure_legacy_authentication_protocols.yml │ │ │ ├── azure_login_to_disabled_account.yml │ │ │ ├── azure_mfa_denies.yml │ │ │ ├── azure_mfa_interrupted.yml │ │ │ ├── azure_unusual_authentication_interruption.yml │ │ │ ├── azure_user_login_blocked_by_conditional_access.yml │ │ │ └── azure_users_authenticating_to_other_azure_ad_tenants.yml │ │ ├── gcp/ │ │ │ ├── audit/ │ │ │ │ ├── gcp_access_policy_deleted.yml │ │ │ │ ├── gcp_breakglass_container_workload_deployed.yml │ │ │ │ ├── gcp_bucket_enumeration.yml │ │ │ │ ├── gcp_bucket_modified_or_deleted.yml │ │ │ │ ├── gcp_dlp_re_identifies_sensitive_information.yml │ │ │ │ ├── gcp_dns_zone_modified_or_deleted.yml │ │ │ │ ├── gcp_firewall_rule_modified_or_deleted.yml │ │ │ │ ├── gcp_full_network_traffic_packet_capture.yml │ │ │ │ ├── gcp_kubernetes_admission_controller.yml │ │ │ │ ├── gcp_kubernetes_cronjob.yml │ │ │ │ ├── gcp_kubernetes_rolebinding.yml │ │ │ │ ├── gcp_kubernetes_secrets_modified_or_deleted.yml │ │ │ │ ├── gcp_service_account_disabled_or_deleted.yml │ │ │ │ ├── gcp_service_account_modified.yml │ │ │ │ ├── gcp_sql_database_modified_or_deleted.yml │ │ │ │ └── gcp_vpn_tunnel_modified_or_deleted.yml │ │ │ └── gworkspace/ │ │ │ ├── gcp_gworkspace_application_access_levels_modified.yml │ │ │ ├── gcp_gworkspace_application_removed.yml │ │ │ ├── gcp_gworkspace_granted_domain_api_access.yml │ │ │ ├── gcp_gworkspace_mfa_disabled.yml │ │ │ ├── gcp_gworkspace_role_modified_or_deleted.yml │ │ │ ├── gcp_gworkspace_role_privilege_deleted.yml │ │ │ └── gcp_gworkspace_user_granted_admin_privileges.yml │ │ └── m365/ │ │ ├── audit/ │ │ │ ├── microsoft365_bypass_conditional_access.yml │ │ │ ├── microsoft365_disabling_mfa.yml │ │ │ └── microsoft365_new_federated_domain_added_audit.yml │ │ ├── exchange/ │ │ │ └── microsoft365_new_federated_domain_added_exchange.yml │ │ ├── threat_detection/ │ │ │ └── microsoft365_from_susp_ip_addresses.yml │ │ └── threat_management/ │ │ ├── microsoft365_activity_by_terminated_user.yml │ │ ├── microsoft365_activity_from_anonymous_ip_addresses.yml │ │ ├── microsoft365_activity_from_infrequent_country.yml │ │ ├── microsoft365_data_exfiltration_to_unsanctioned_app.yml │ │ ├── microsoft365_impossible_travel_activity.yml │ │ ├── microsoft365_logon_from_risky_ip_address.yml │ │ ├── microsoft365_potential_ransomware_activity.yml │ │ ├── microsoft365_pst_export_alert.yml │ │ ├── microsoft365_pst_export_alert_using_new_compliancesearchaction.yml │ │ ├── microsoft365_susp_inbox_forwarding.yml │ │ ├── microsoft365_susp_oauth_app_file_download_activities.yml │ │ ├── microsoft365_unusual_volume_of_file_deletion.yml │ │ └── microsoft365_user_restricted_from_sending_email.yml │ ├── identity/ │ │ ├── cisco_duo/ │ │ │ └── cisco_duo_mfa_bypass_via_bypass_code.yml │ │ ├── okta/ │ │ │ ├── okta_admin_activity_from_proxy_query.yml │ │ │ ├── okta_admin_role_assigned_to_user_or_group.yml │ │ │ ├── okta_admin_role_assignment_created.yml │ │ │ ├── okta_api_token_created.yml │ │ │ ├── okta_api_token_revoked.yml │ │ │ ├── okta_application_modified_or_deleted.yml │ │ │ ├── okta_application_sign_on_policy_modified_or_deleted.yml │ │ │ ├── okta_fastpass_phishing_detection.yml │ │ │ ├── okta_identity_provider_created.yml │ │ │ ├── okta_mfa_reset_or_deactivated.yml │ │ │ ├── okta_network_zone_deactivated_or_deleted.yml │ │ │ ├── okta_new_behaviours_admin_console.yml │ │ │ ├── okta_password_in_alternateid_field.yml │ │ │ ├── okta_policy_modified_or_deleted.yml │ │ │ ├── okta_policy_rule_modified_or_deleted.yml │ │ │ ├── okta_security_threat_detected.yml │ │ │ ├── okta_suspicious_activity_enduser_report.yml │ │ │ ├── okta_unauthorized_access_to_app.yml │ │ │ ├── okta_user_account_locked_out.yml │ │ │ ├── okta_user_created.yml │ │ │ └── okta_user_session_start_via_anonymised_proxy.yml │ │ └── onelogin/ │ │ ├── onelogin_assumed_another_user.yml │ │ └── onelogin_user_account_locked.yml │ ├── linux/ │ │ ├── auditd/ │ │ │ ├── execve/ │ │ │ │ ├── lnx_auditd_binary_padding.yml │ │ │ │ ├── lnx_auditd_bpfdoor_port_redirect.yml │ │ │ │ ├── lnx_auditd_capabilities_discovery.yml │ │ │ │ ├── lnx_auditd_change_file_time_attr.yml │ │ │ │ ├── lnx_auditd_chattr_immutable_removal.yml │ │ │ │ ├── lnx_auditd_clipboard_collection.yml │ │ │ │ ├── lnx_auditd_clipboard_image_collection.yml │ │ │ │ ├── lnx_auditd_coinminer.yml │ │ │ │ ├── lnx_auditd_data_compressed.yml │ │ │ │ ├── lnx_auditd_data_exfil_wget.yml │ │ │ │ ├── lnx_auditd_dd_delete_file.yml │ │ │ │ ├── lnx_auditd_file_or_folder_permissions.yml │ │ │ │ ├── lnx_auditd_find_cred_in_files.yml │ │ │ │ ├── lnx_auditd_hidden_files_directories.yml │ │ │ │ ├── lnx_auditd_hidden_zip_files_steganography.yml │ │ │ │ ├── lnx_auditd_masquerading_crond.yml │ │ │ │ ├── lnx_auditd_modify_system_firewall.yml │ │ │ │ ├── lnx_auditd_network_sniffing.yml │ │ │ │ ├── lnx_auditd_screencapture_import.yml │ │ │ │ ├── lnx_auditd_screencaputre_xwd.yml │ │ │ │ ├── lnx_auditd_steghide_embed_steganography.yml │ │ │ │ ├── lnx_auditd_steghide_extract_steganography.yml │ │ │ │ ├── lnx_auditd_susp_cmds.yml │ │ │ │ ├── lnx_auditd_susp_histfile_operations.yml │ │ │ │ ├── lnx_auditd_susp_service_reload_or_restart.yml │ │ │ │ ├── lnx_auditd_system_shutdown_reboot.yml │ │ │ │ ├── lnx_auditd_unzip_hidden_zip_files_steganography.yml │ │ │ │ └── lnx_auditd_user_discovery.yml │ │ │ ├── lnx_auditd_audio_capture.yml │ │ │ ├── lnx_auditd_disable_aslr_protection.yml │ │ │ ├── lnx_auditd_keylogging_with_pam_d.yml │ │ │ ├── lnx_auditd_password_policy_discovery.yml │ │ │ ├── lnx_auditd_susp_c2_commands.yml │ │ │ ├── lnx_auditd_system_info_discovery.yml │ │ │ ├── path/ │ │ │ │ ├── lnx_auditd_auditing_config_change.yml │ │ │ │ ├── lnx_auditd_bpfdoor_file_accessed.yml │ │ │ │ ├── lnx_auditd_hidden_binary_execution.yml │ │ │ │ ├── lnx_auditd_ld_so_preload_mod.yml │ │ │ │ ├── lnx_auditd_logging_config_change.yml │ │ │ │ ├── lnx_auditd_magic_system_request_key.yml │ │ │ │ ├── lnx_auditd_system_info_discovery2.yml │ │ │ │ ├── lnx_auditd_systemd_service_creation.yml │ │ │ │ └── lnx_auditd_unix_shell_configuration_modification.yml │ │ │ ├── service_stop/ │ │ │ │ └── lnx_auditd_disable_system_firewall.yml │ │ │ └── syscall/ │ │ │ ├── lnx_auditd_clean_disable_dmesg_logs_via_syslog.yml │ │ │ ├── lnx_auditd_create_account.yml │ │ │ ├── lnx_auditd_load_module_insmod.yml │ │ │ ├── lnx_auditd_network_service_scanning.yml │ │ │ ├── lnx_auditd_split_file_into_pieces.yml │ │ │ ├── lnx_auditd_susp_discovery_sysinfo_syscall.yml │ │ │ ├── lnx_auditd_susp_exe_folders.yml │ │ │ ├── lnx_auditd_susp_special_file_creation_via_mknod_syscall.yml │ │ │ └── lnx_auditd_web_rce.yml │ │ ├── builtin/ │ │ │ ├── clamav/ │ │ │ │ └── lnx_clamav_relevant_message.yml │ │ │ ├── cron/ │ │ │ │ └── lnx_cron_crontab_file_modification.yml │ │ │ ├── guacamole/ │ │ │ │ └── lnx_guacamole_susp_guacamole.yml │ │ │ ├── lnx_apt_equationgroup_lnx.yml │ │ │ ├── lnx_buffer_overflows.yml │ │ │ ├── lnx_clear_syslog.yml │ │ │ ├── lnx_file_copy.yml │ │ │ ├── lnx_ldso_preload_injection.yml │ │ │ ├── lnx_potential_susp_ebpf_activity.yml │ │ │ ├── lnx_privileged_user_creation.yml │ │ │ ├── lnx_shell_clear_cmd_history.yml │ │ │ ├── lnx_shell_susp_commands.yml │ │ │ ├── lnx_shell_susp_log_entries.yml │ │ │ ├── lnx_shell_susp_rev_shells.yml │ │ │ ├── lnx_shellshock.yml │ │ │ ├── lnx_susp_dev_tcp.yml │ │ │ ├── lnx_susp_jexboss.yml │ │ │ ├── lnx_symlink_etc_passwd.yml │ │ │ ├── sshd/ │ │ │ │ └── lnx_sshd_susp_ssh.yml │ │ │ ├── syslog/ │ │ │ │ ├── lnx_syslog_security_tools_disabling_syslog.yml │ │ │ │ └── lnx_syslog_susp_named.yml │ │ │ └── vsftpd/ │ │ │ └── lnx_vsftpd_susp_error_messages.yml │ │ ├── file_event/ │ │ │ ├── file_event_lnx_doas_conf_creation.yml │ │ │ ├── file_event_lnx_persistence_cron_files.yml │ │ │ ├── file_event_lnx_persistence_sudoers_files.yml │ │ │ ├── file_event_lnx_susp_filename_with_embedded_base64_command.yml │ │ │ ├── file_event_lnx_susp_shell_script_under_profile_directory.yml │ │ │ ├── file_event_lnx_triple_cross_rootkit_lock_file.yml │ │ │ ├── file_event_lnx_triple_cross_rootkit_persistence.yml │ │ │ └── file_event_lnx_wget_download_file_in_tmp_dir.yml │ │ ├── network_connection/ │ │ │ ├── net_connection_lnx_back_connect_shell_dev.yml │ │ │ ├── net_connection_lnx_crypto_mining_indicators.yml │ │ │ ├── net_connection_lnx_domain_localtonet_tunnel.yml │ │ │ ├── net_connection_lnx_ngrok_tunnel.yml │ │ │ └── net_connection_lnx_susp_malware_callback_port.yml │ │ └── process_creation/ │ │ ├── proc_creation_lnx_apt_shell_execution.yml │ │ ├── proc_creation_lnx_at_command.yml │ │ ├── proc_creation_lnx_auditctl_clear_rules.yml │ │ ├── proc_creation_lnx_av_kaspersky_av_disabled.yml │ │ ├── proc_creation_lnx_awk_shell_spawn.yml │ │ ├── proc_creation_lnx_base64_decode.yml │ │ ├── proc_creation_lnx_base64_execution.yml │ │ ├── proc_creation_lnx_base64_shebang_cli.yml │ │ ├── proc_creation_lnx_bash_interactive_shell.yml │ │ ├── proc_creation_lnx_bpf_kprob_tracing_enabled.yml │ │ ├── proc_creation_lnx_bpftrace_unsafe_option_usage.yml │ │ ├── proc_creation_lnx_cap_setgid.yml │ │ ├── proc_creation_lnx_cap_setuid.yml │ │ ├── proc_creation_lnx_capa_discovery.yml │ │ ├── proc_creation_lnx_capsh_shell_invocation.yml │ │ ├── proc_creation_lnx_chattr_immutable_removal.yml │ │ ├── proc_creation_lnx_chroot_execution.yml │ │ ├── proc_creation_lnx_clear_logs.yml │ │ ├── proc_creation_lnx_clear_syslog.yml │ │ ├── proc_creation_lnx_clipboard_collection.yml │ │ ├── proc_creation_lnx_cp_passwd_or_shadow_tmp.yml │ │ ├── proc_creation_lnx_crontab_enumeration.yml │ │ ├── proc_creation_lnx_crontab_removal.yml │ │ ├── proc_creation_lnx_crypto_mining.yml │ │ ├── proc_creation_lnx_curl_usage.yml │ │ ├── proc_creation_lnx_curl_wget_exec_tmp.yml │ │ ├── proc_creation_lnx_dd_file_overwrite.yml │ │ ├── proc_creation_lnx_dd_process_injection.yml │ │ ├── proc_creation_lnx_disable_ufw.yml │ │ ├── proc_creation_lnx_doas_execution.yml │ │ ├── proc_creation_lnx_env_shell_invocation.yml │ │ ├── proc_creation_lnx_esxcli_network_discovery.yml │ │ ├── proc_creation_lnx_esxcli_permission_change_admin.yml │ │ ├── proc_creation_lnx_esxcli_storage_discovery.yml │ │ ├── proc_creation_lnx_esxcli_syslog_config_change.yml │ │ ├── proc_creation_lnx_esxcli_system_discovery.yml │ │ ├── proc_creation_lnx_esxcli_user_account_creation.yml │ │ ├── proc_creation_lnx_esxcli_vm_discovery.yml │ │ ├── proc_creation_lnx_esxcli_vm_kill.yml │ │ ├── proc_creation_lnx_esxcli_vsan_discovery.yml │ │ ├── proc_creation_lnx_file_and_directory_discovery.yml │ │ ├── proc_creation_lnx_file_deletion.yml │ │ ├── proc_creation_lnx_find_shell_execution.yml │ │ ├── proc_creation_lnx_flock_shell_execution.yml │ │ ├── proc_creation_lnx_gcc_shell_execution.yml │ │ ├── proc_creation_lnx_git_shell_execution.yml │ │ ├── proc_creation_lnx_grep_os_arch_discovery.yml │ │ ├── proc_creation_lnx_groupdel.yml │ │ ├── proc_creation_lnx_install_root_certificate.yml │ │ ├── proc_creation_lnx_install_suspicious_packages.yml │ │ ├── proc_creation_lnx_iptables_flush_ufw.yml │ │ ├── proc_creation_lnx_local_account.yml │ │ ├── proc_creation_lnx_local_groups.yml │ │ ├── proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml │ │ ├── proc_creation_lnx_mkfifo_named_pipe_creation.yml │ │ ├── proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml │ │ ├── proc_creation_lnx_mount_hidepid.yml │ │ ├── proc_creation_lnx_netcat_reverse_shell.yml │ │ ├── proc_creation_lnx_nice_shell_execution.yml │ │ ├── proc_creation_lnx_nohup.yml │ │ ├── proc_creation_lnx_nohup_susp_execution.yml │ │ ├── proc_creation_lnx_omigod_scx_runasprovider_executescript.yml │ │ ├── proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml │ │ ├── proc_creation_lnx_perl_reverse_shell.yml │ │ ├── proc_creation_lnx_php_reverse_shell.yml │ │ ├── proc_creation_lnx_pnscan_binary_cli_pattern.yml │ │ ├── proc_creation_lnx_proxy_connection.yml │ │ ├── proc_creation_lnx_pua_trufflehog.yml │ │ ├── proc_creation_lnx_python_http_server_execution.yml │ │ ├── proc_creation_lnx_python_pty_spawn.yml │ │ ├── proc_creation_lnx_python_reverse_shell.yml │ │ ├── proc_creation_lnx_python_shell_os_system.yml │ │ ├── proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml │ │ ├── proc_creation_lnx_remote_system_discovery.yml │ │ ├── proc_creation_lnx_remove_package.yml │ │ ├── proc_creation_lnx_rsync_shell_execution.yml │ │ ├── proc_creation_lnx_rsync_shell_spawn.yml │ │ ├── proc_creation_lnx_ruby_reverse_shell.yml │ │ ├── proc_creation_lnx_schedule_task_job_cron.yml │ │ ├── proc_creation_lnx_security_software_discovery.yml │ │ ├── proc_creation_lnx_security_tools_disabling.yml │ │ ├── proc_creation_lnx_services_stop_and_disable.yml │ │ ├── proc_creation_lnx_setgid_setuid.yml │ │ ├── proc_creation_lnx_ssh_shell_execution.yml │ │ ├── proc_creation_lnx_ssm_agent_abuse.yml │ │ ├── proc_creation_lnx_susp_chmod_directories.yml │ │ ├── proc_creation_lnx_susp_container_residence_discovery.yml │ │ ├── proc_creation_lnx_susp_curl_fileupload.yml │ │ ├── proc_creation_lnx_susp_curl_useragent.yml │ │ ├── proc_creation_lnx_susp_dockerenv_recon.yml │ │ ├── proc_creation_lnx_susp_execution_tmp_folder.yml │ │ ├── proc_creation_lnx_susp_find_execution.yml │ │ ├── proc_creation_lnx_susp_git_clone.yml │ │ ├── proc_creation_lnx_susp_history_delete.yml │ │ ├── proc_creation_lnx_susp_history_recon.yml │ │ ├── proc_creation_lnx_susp_hktl_execution.yml │ │ ├── proc_creation_lnx_susp_inod_listing.yml │ │ ├── proc_creation_lnx_susp_interactive_bash.yml │ │ ├── proc_creation_lnx_susp_java_children.yml │ │ ├── proc_creation_lnx_susp_network_utilities_execution.yml │ │ ├── proc_creation_lnx_susp_pipe_shell.yml │ │ ├── proc_creation_lnx_susp_process_reading_sudoers.yml │ │ ├── proc_creation_lnx_susp_recon_indicators.yml │ │ ├── proc_creation_lnx_susp_sensitive_file_access.yml │ │ ├── proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml │ │ ├── proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml │ │ ├── proc_creation_lnx_system_info_discovery.yml │ │ ├── proc_creation_lnx_system_network_connections_discovery.yml │ │ ├── proc_creation_lnx_system_network_discovery.yml │ │ ├── proc_creation_lnx_systemctl_mask_power_settings.yml │ │ ├── proc_creation_lnx_touch_susp.yml │ │ ├── proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml │ │ ├── proc_creation_lnx_triple_cross_rootkit_install.yml │ │ ├── proc_creation_lnx_userdel.yml │ │ ├── proc_creation_lnx_usermod_susp_group.yml │ │ ├── proc_creation_lnx_vim_shell_execution.yml │ │ ├── proc_creation_lnx_webshell_detection.yml │ │ ├── proc_creation_lnx_wget_download_suspicious_directory.yml │ │ └── proc_creation_lnx_xterm_reverse_shell.yml │ ├── macos/ │ │ ├── file_event/ │ │ │ ├── file_event_macos_emond_launch_daemon.yml │ │ │ └── file_event_macos_susp_startup_item_created.yml │ │ └── process_creation/ │ │ ├── proc_creation_macos_applescript.yml │ │ ├── proc_creation_macos_base64_decode.yml │ │ ├── proc_creation_macos_binary_padding.yml │ │ ├── proc_creation_macos_change_file_time_attr.yml │ │ ├── proc_creation_macos_chflags_hidden_flag.yml │ │ ├── proc_creation_macos_clear_system_logs.yml │ │ ├── proc_creation_macos_clipboard_data_via_osascript.yml │ │ ├── proc_creation_macos_create_account.yml │ │ ├── proc_creation_macos_create_hidden_account.yml │ │ ├── proc_creation_macos_creds_from_keychain.yml │ │ ├── proc_creation_macos_csrutil_disable.yml │ │ ├── proc_creation_macos_csrutil_status.yml │ │ ├── proc_creation_macos_disable_security_tools.yml │ │ ├── proc_creation_macos_dscl_add_user_to_admin_group.yml │ │ ├── proc_creation_macos_dseditgroup_add_to_admin_group.yml │ │ ├── proc_creation_macos_dsenableroot_enable_root_account.yml │ │ ├── proc_creation_macos_file_and_directory_discovery.yml │ │ ├── proc_creation_macos_find_cred_in_files.yml │ │ ├── proc_creation_macos_gui_input_capture.yml │ │ ├── proc_creation_macos_hdiutil_create.yml │ │ ├── proc_creation_macos_hdiutil_mount.yml │ │ ├── proc_creation_macos_installer_susp_child_process.yml │ │ ├── proc_creation_macos_ioreg_discovery.yml │ │ ├── proc_creation_macos_jamf_susp_child.yml │ │ ├── proc_creation_macos_jamf_usage.yml │ │ ├── proc_creation_macos_jxa_in_memory_execution.yml │ │ ├── proc_creation_macos_launchctl_execution.yml │ │ ├── proc_creation_macos_local_account.yml │ │ ├── proc_creation_macos_local_groups.yml │ │ ├── proc_creation_macos_network_service_scanning.yml │ │ ├── proc_creation_macos_network_sniffing.yml │ │ ├── proc_creation_macos_nscurl_usage.yml │ │ ├── proc_creation_macos_office_susp_child_processes.yml │ │ ├── proc_creation_macos_osacompile_runonly_execution.yml │ │ ├── proc_creation_macos_payload_decoded_and_decrypted.yml │ │ ├── proc_creation_macos_persistence_via_plistbuddy.yml │ │ ├── proc_creation_macos_remote_access_tools_meshagent_arguments.yml │ │ ├── proc_creation_macos_remote_access_tools_renamed_meshagent_execution.yml │ │ ├── proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml │ │ ├── proc_creation_macos_remote_system_discovery.yml │ │ ├── proc_creation_macos_schedule_task_job_cron.yml │ │ ├── proc_creation_macos_screencapture.yml │ │ ├── proc_creation_macos_security_software_discovery.yml │ │ ├── proc_creation_macos_space_after_filename.yml │ │ ├── proc_creation_macos_split_file_into_pieces.yml │ │ ├── proc_creation_macos_susp_browser_child_process.yml │ │ ├── proc_creation_macos_susp_execution_macos_script_editor.yml │ │ ├── proc_creation_macos_susp_find_execution.yml │ │ ├── proc_creation_macos_susp_histfile_operations.yml │ │ ├── proc_creation_macos_susp_in_memory_download_and_compile.yml │ │ ├── proc_creation_macos_susp_macos_firmware_activity.yml │ │ ├── proc_creation_macos_susp_system_network_discovery.yml │ │ ├── proc_creation_macos_suspicious_applet_behaviour.yml │ │ ├── proc_creation_macos_swvers_discovery.yml │ │ ├── proc_creation_macos_sysadminctl_add_user_to_admin_group.yml │ │ ├── proc_creation_macos_sysadminctl_enable_guest_account.yml │ │ ├── proc_creation_macos_sysctl_discovery.yml │ │ ├── proc_creation_macos_system_network_connections_discovery.yml │ │ ├── proc_creation_macos_system_profiler_discovery.yml │ │ ├── proc_creation_macos_system_shutdown_reboot.yml │ │ ├── proc_creation_macos_tail_base64_decode_from_image.yml │ │ ├── proc_creation_macos_tmutil_delete_backup.yml │ │ ├── proc_creation_macos_tmutil_disable_backup.yml │ │ ├── proc_creation_macos_tmutil_exclude_file_from_backup.yml │ │ ├── proc_creation_macos_wizardupdate_malware_infection.yml │ │ ├── proc_creation_macos_xattr_gatekeeper_bypass.yml │ │ └── proc_creation_macos_xcsset_malware_infection.yml │ ├── network/ │ │ ├── cisco/ │ │ │ ├── aaa/ │ │ │ │ ├── cisco_cli_clear_logs.yml │ │ │ │ ├── cisco_cli_collect_data.yml │ │ │ │ ├── cisco_cli_crypto_actions.yml │ │ │ │ ├── cisco_cli_disable_logging.yml │ │ │ │ ├── cisco_cli_discovery.yml │ │ │ │ ├── cisco_cli_dos.yml │ │ │ │ ├── cisco_cli_file_deletion.yml │ │ │ │ ├── cisco_cli_input_capture.yml │ │ │ │ ├── cisco_cli_local_accounts.yml │ │ │ │ ├── cisco_cli_modify_config.yml │ │ │ │ ├── cisco_cli_moving_data.yml │ │ │ │ └── cisco_cli_net_sniff.yml │ │ │ ├── bgp/ │ │ │ │ └── cisco_bgp_md5_auth_failed.yml │ │ │ └── ldp/ │ │ │ └── cisco_ldp_md5_auth_failed.yml │ │ ├── dns/ │ │ │ ├── net_dns_external_service_interaction_domains.yml │ │ │ ├── net_dns_mal_cobaltstrike.yml │ │ │ ├── net_dns_pua_cryptocoin_mining_xmr.yml │ │ │ ├── net_dns_susp_b64_queries.yml │ │ │ ├── net_dns_susp_telegram_api.yml │ │ │ ├── net_dns_susp_txt_exec_strings.yml │ │ │ └── net_dns_wannacry_killswitch_domain.yml │ │ ├── firewall/ │ │ │ └── net_firewall_cleartext_protocols.yml │ │ ├── fortinet/ │ │ │ └── fortigate/ │ │ │ ├── fortinet_fortigate_new_admin_account_created.yml │ │ │ ├── fortinet_fortigate_new_firewall_address_object.yml │ │ │ ├── fortinet_fortigate_new_firewall_policy_added.yml │ │ │ ├── fortinet_fortigate_new_local_user_created.yml │ │ │ ├── fortinet_fortigate_new_vpn_ssl_web_portal.yml │ │ │ ├── fortinet_fortigate_user_group_modified.yml │ │ │ └── fortinet_fortigate_vpn_ssl_settings_modified.yml │ │ ├── huawei/ │ │ │ └── bgp/ │ │ │ └── huawei_bgp_auth_failed.yml │ │ ├── juniper/ │ │ │ └── bgp/ │ │ │ └── juniper_bgp_missing_md5.yml │ │ └── zeek/ │ │ ├── zeek_dce_rpc_mitre_bzar_execution.yml │ │ ├── zeek_dce_rpc_mitre_bzar_persistence.yml │ │ ├── zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml │ │ ├── zeek_dce_rpc_smb_spoolss_named_pipe.yml │ │ ├── zeek_default_cobalt_strike_certificate.yml │ │ ├── zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml │ │ ├── zeek_dns_mining_pools.yml │ │ ├── zeek_dns_nkn.yml │ │ ├── zeek_dns_susp_zbit_flag.yml │ │ ├── zeek_dns_torproxy.yml │ │ ├── zeek_http_executable_download_from_webdav.yml │ │ ├── zeek_http_susp_file_ext_from_susp_tld.yml │ │ ├── zeek_http_webdav_put_request.yml │ │ ├── zeek_rdp_public_listener.yml │ │ ├── zeek_smb_converted_win_atsvc_task.yml │ │ ├── zeek_smb_converted_win_impacket_secretdump.yml │ │ ├── zeek_smb_converted_win_lm_namedpipe.yml │ │ ├── zeek_smb_converted_win_susp_psexec.yml │ │ ├── zeek_smb_converted_win_susp_raccess_sensitive_fext.yml │ │ ├── zeek_smb_converted_win_transferring_files_with_credential_data.yml │ │ └── zeek_susp_kerberos_rc4.yml │ ├── web/ │ │ ├── product/ │ │ │ ├── apache/ │ │ │ │ ├── web_apache_segfault.yml │ │ │ │ └── web_apache_threading_error.yml │ │ │ └── nginx/ │ │ │ └── web_nginx_core_dump.yml │ │ ├── proxy_generic/ │ │ │ ├── proxy_download_susp_dyndns.yml │ │ │ ├── proxy_download_susp_tlds_blacklist.yml │ │ │ ├── proxy_download_susp_tlds_whitelist.yml │ │ │ ├── proxy_downloadcradle_webdav.yml │ │ │ ├── proxy_f5_tm_utility_bash_api_request.yml │ │ │ ├── proxy_hello_world_user_agent.yml │ │ │ ├── proxy_hktl_baby_shark_default_agent_url.yml │ │ │ ├── proxy_hktl_cobalt_strike_malleable_c2_requests.yml │ │ │ ├── proxy_hktl_empire_ua_uri_patterns.yml │ │ │ ├── proxy_pua_advanced_ip_scanner_update_check.yml │ │ │ ├── proxy_pwndrop.yml │ │ │ ├── proxy_raw_paste_service_access.yml │ │ │ ├── proxy_susp_flash_download_loc.yml │ │ │ ├── proxy_susp_ipfs_cred_harvest.yml │ │ │ ├── proxy_telegram_api.yml │ │ │ ├── proxy_ua_apt.yml │ │ │ ├── proxy_ua_base64_encoded.yml │ │ │ ├── proxy_ua_bitsadmin_susp_ip.yml │ │ │ ├── proxy_ua_bitsadmin_susp_tld.yml │ │ │ ├── proxy_ua_cryptominer.yml │ │ │ ├── proxy_ua_empty.yml │ │ │ ├── proxy_ua_frameworks.yml │ │ │ ├── proxy_ua_hacktool.yml │ │ │ ├── proxy_ua_malware.yml │ │ │ ├── proxy_ua_powershell.yml │ │ │ ├── proxy_ua_rclone.yml │ │ │ ├── proxy_ua_susp.yml │ │ │ ├── proxy_ua_susp_base64.yml │ │ │ └── proxy_webdav_external_execution.yml │ │ └── webserver_generic/ │ │ ├── web_f5_tm_utility_bash_api_request.yml │ │ ├── web_iis_tilt_shortname_scan.yml │ │ ├── web_java_payload_in_access_logs.yml │ │ ├── web_jndi_exploit.yml │ │ ├── web_path_traversal_exploitation_attempt.yml │ │ ├── web_source_code_enumeration.yml │ │ ├── web_sql_injection_in_access_logs.yml │ │ ├── web_ssti_in_access_logs.yml │ │ ├── web_susp_useragents.yml │ │ ├── web_susp_windows_path_uri.yml │ │ ├── web_webshell_regeorg.yml │ │ ├── web_win_webshells_in_access_logs.yml │ │ └── web_xss_in_access_logs.yml │ └── windows/ │ ├── builtin/ │ │ ├── application/ │ │ │ ├── Other/ │ │ │ │ └── win_av_relevant_match.yml │ │ │ ├── application_error/ │ │ │ │ ├── win_application_error_lsass_crash.yml │ │ │ │ └── win_application_error_msmpeng_crash.yml │ │ │ ├── esent/ │ │ │ │ ├── win_esent_ntdsutil_abuse.yml │ │ │ │ └── win_esent_ntdsutil_abuse_susp_location.yml │ │ │ ├── microsoft-windows_audit_cve/ │ │ │ │ └── win_audit_cve.yml │ │ │ ├── microsoft_windows_backup/ │ │ │ │ └── win_susp_backup_delete.yml │ │ │ ├── microsoft_windows_software_restriction_policies/ │ │ │ │ └── win_software_restriction_policies_block.yml │ │ │ ├── msiinstaller/ │ │ │ │ ├── win_builtin_remove_application.yml │ │ │ │ ├── win_msi_install_from_susp_locations.yml │ │ │ │ ├── win_msi_install_from_web.yml │ │ │ │ └── win_software_atera_rmm_agent_install.yml │ │ │ ├── mssqlserver/ │ │ │ │ ├── win_mssql_add_sysadmin_account.yml │ │ │ │ ├── win_mssql_destructive_query.yml │ │ │ │ ├── win_mssql_disable_audit_settings.yml │ │ │ │ ├── win_mssql_failed_logon.yml │ │ │ │ ├── win_mssql_failed_logon_from_external_network.yml │ │ │ │ ├── win_mssql_sp_procoption_set.yml │ │ │ │ ├── win_mssql_xp_cmdshell_audit_log.yml │ │ │ │ └── win_mssql_xp_cmdshell_change.yml │ │ │ ├── screenconnect/ │ │ │ │ ├── win_app_remote_access_tools_screenconnect_command_exec.yml │ │ │ │ └── win_app_remote_access_tools_screenconnect_file_transfer.yml │ │ │ └── windows_error_reporting/ │ │ │ └── win_application_msmpeng_crash_wer.yml │ │ ├── applocker/ │ │ │ └── win_applocker_application_was_prevented_from_running.yml │ │ ├── appmodel_runtime/ │ │ │ └── win_appmodel_runtime_sysinternals_tools_appx_execution.yml │ │ ├── appxdeployment_server/ │ │ │ ├── win_appxdeployment_server_applocker_block.yml │ │ │ ├── win_appxdeployment_server_appx_downloaded_from_file_sharing_domains.yml │ │ │ ├── win_appxdeployment_server_appx_package_deployment_failed_signing_requirements.yml │ │ │ ├── win_appxdeployment_server_appx_package_in_staging_directory.yml │ │ │ ├── win_appxdeployment_server_mal_appx_names.yml │ │ │ ├── win_appxdeployment_server_policy_block.yml │ │ │ ├── win_appxdeployment_server_uncommon_package_locations.yml │ │ │ ├── win_appxpackaging_server_full_trust_package_installation.yml │ │ │ └── win_appxpackaging_server_unsigned_package_installation.yml │ │ ├── appxpackaging_om/ │ │ │ └── win_appxpackaging_om_sups_appx_signature.yml │ │ ├── bits_client/ │ │ │ ├── win_bits_client_new_job_via_bitsadmin.yml │ │ │ ├── win_bits_client_new_job_via_powershell.yml │ │ │ ├── win_bits_client_new_transfer_saving_susp_extensions.yml │ │ │ ├── win_bits_client_new_transfer_via_file_sharing_domains.yml │ │ │ ├── win_bits_client_new_transfer_via_ip_address.yml │ │ │ ├── win_bits_client_new_transfer_via_uncommon_tld.yml │ │ │ └── win_bits_client_new_trasnfer_susp_local_folder.yml │ │ ├── capi2/ │ │ │ └── win_capi2_acquire_certificate_private_key.yml │ │ ├── certificate_services_client_lifecycle_system/ │ │ │ └── win_certificateservicesclient_lifecycle_system_cert_exported.yml │ │ ├── code_integrity/ │ │ │ ├── win_codeintegrity_attempted_dll_load.yml │ │ │ ├── win_codeintegrity_blocked_protected_process_file.yml │ │ │ ├── win_codeintegrity_enforced_policy_block.yml │ │ │ ├── win_codeintegrity_revoked_driver_blocked.yml │ │ │ ├── win_codeintegrity_revoked_driver_loaded.yml │ │ │ ├── win_codeintegrity_revoked_image_blocked.yml │ │ │ ├── win_codeintegrity_revoked_image_loaded.yml │ │ │ ├── win_codeintegrity_unsigned_driver_loaded.yml │ │ │ ├── win_codeintegrity_unsigned_image_loaded.yml │ │ │ └── win_codeintegrity_whql_failure.yml │ │ ├── diagnosis/ │ │ │ └── scripted/ │ │ │ └── win_diagnosis_scripted_load_remote_diagcab.yml │ │ ├── dns_client/ │ │ │ ├── win_dns_client_anonymfiles_com.yml │ │ │ ├── win_dns_client_mal_cobaltstrike.yml │ │ │ ├── win_dns_client_mega_nz.yml │ │ │ ├── win_dns_client_put_io.yml │ │ │ ├── win_dns_client_tor_onion.yml │ │ │ └── win_dns_client_ufile_io.yml │ │ ├── dns_server/ │ │ │ ├── win_dns_server_failed_dns_zone_transfer.yml │ │ │ └── win_dns_server_susp_server_level_plugin_dll.yml │ │ ├── driverframeworks/ │ │ │ └── win_usb_device_plugged.yml │ │ ├── firewall_as/ │ │ │ ├── win_firewall_as_add_rule.yml │ │ │ ├── win_firewall_as_add_rule_susp_folder.yml │ │ │ ├── win_firewall_as_add_rule_wmiprvse.yml │ │ │ ├── win_firewall_as_delete_all_rules.yml │ │ │ ├── win_firewall_as_delete_rule.yml │ │ │ ├── win_firewall_as_failed_load_gpo.yml │ │ │ ├── win_firewall_as_reset_config.yml │ │ │ └── win_firewall_as_setting_change.yml │ │ ├── iis-configuration/ │ │ │ ├── win_iis_logging_etw_disabled.yml │ │ │ ├── win_iis_logging_http_disabled.yml │ │ │ ├── win_iis_module_added.yml │ │ │ └── win_iis_module_removed.yml │ │ ├── ldap/ │ │ │ └── win_ldap_recon.yml │ │ ├── lsa_server/ │ │ │ └── win_lsa_server_normal_user_admin.yml │ │ ├── msexchange/ │ │ │ ├── win_exchange_proxylogon_oabvirtualdir.yml │ │ │ ├── win_exchange_proxyshell_certificate_generation.yml │ │ │ ├── win_exchange_proxyshell_mailbox_export.yml │ │ │ ├── win_exchange_proxyshell_remove_mailbox_export.yml │ │ │ ├── win_exchange_set_oabvirtualdirectory_externalurl.yml │ │ │ ├── win_exchange_transportagent.yml │ │ │ └── win_exchange_transportagent_failed.yml │ │ ├── ntlm/ │ │ │ ├── win_susp_ntlm_auth.yml │ │ │ ├── win_susp_ntlm_brute_force.yml │ │ │ └── win_susp_ntlm_rdp.yml │ │ ├── openssh/ │ │ │ └── win_sshd_openssh_server_listening_on_socket.yml │ │ ├── security/ │ │ │ ├── account_management/ │ │ │ │ ├── win_security_access_token_abuse.yml │ │ │ │ ├── win_security_admin_rdp_login.yml │ │ │ │ ├── win_security_diagtrack_eop_default_login_username.yml │ │ │ │ ├── win_security_member_added_security_enabled_global_group.yml │ │ │ │ ├── win_security_member_removed_security_enabled_global_group.yml │ │ │ │ ├── win_security_overpass_the_hash.yml │ │ │ │ ├── win_security_pass_the_hash_2.yml │ │ │ │ ├── win_security_rdp_localhost_login.yml │ │ │ │ ├── win_security_security_enabled_global_group_deleted.yml │ │ │ │ ├── win_security_successful_external_remote_rdp_login.yml │ │ │ │ ├── win_security_successful_external_remote_smb_login.yml │ │ │ │ ├── win_security_susp_failed_logon_source.yml │ │ │ │ ├── win_security_susp_logon_newcredentials.yml │ │ │ │ ├── win_security_susp_privesc_kerberos_relay_over_ldap.yml │ │ │ │ ├── win_security_susp_rottenpotato.yml │ │ │ │ └── win_security_susp_wmi_login.yml │ │ │ ├── object_access/ │ │ │ │ └── win_security_wfp_endpoint_agent_blocked.yml │ │ │ ├── win_security_aadhealth_mon_agent_regkey_access.yml │ │ │ ├── win_security_aadhealth_svc_agent_regkey_access.yml │ │ │ ├── win_security_account_backdoor_dcsync_rights.yml │ │ │ ├── win_security_account_discovery.yml │ │ │ ├── win_security_ad_object_writedac_access.yml │ │ │ ├── win_security_ad_replication_non_machine_account.yml │ │ │ ├── win_security_ad_user_enumeration.yml │ │ │ ├── win_security_adcs_certificate_template_configuration_vulnerability.yml │ │ │ ├── win_security_adcs_certificate_template_configuration_vulnerability_eku.yml │ │ │ ├── win_security_add_remove_computer.yml │ │ │ ├── win_security_admin_share_access.yml │ │ │ ├── win_security_alert_active_directory_user_control.yml │ │ │ ├── win_security_alert_ad_user_backdoors.yml │ │ │ ├── win_security_alert_enable_weak_encryption.yml │ │ │ ├── win_security_alert_ruler.yml │ │ │ ├── win_security_atsvc_task.yml │ │ │ ├── win_security_audit_log_cleared.yml │ │ │ ├── win_security_camera_microphone_access.yml │ │ │ ├── win_security_cobaltstrike_service_installs.yml │ │ │ ├── win_security_codeintegrity_check_failure.yml │ │ │ ├── win_security_dce_rpc_smb_spoolss_named_pipe.yml │ │ │ ├── win_security_dcom_iertutil_dll_hijack.yml │ │ │ ├── win_security_dcsync.yml │ │ │ ├── win_security_default_domain_gpo_modification.yml │ │ │ ├── win_security_device_installation_blocked.yml │ │ │ ├── win_security_disable_event_auditing.yml │ │ │ ├── win_security_disable_event_auditing_critical.yml │ │ │ ├── win_security_dot_net_etw_tamper.yml │ │ │ ├── win_security_dpapi_domain_backupkey_extraction.yml │ │ │ ├── win_security_dpapi_domain_masterkey_backup_attempt.yml │ │ │ ├── win_security_external_device.yml │ │ │ ├── win_security_gpo_scheduledtasks.yml │ │ │ ├── win_security_hidden_user_creation.yml │ │ │ ├── win_security_hktl_edr_silencer.yml │ │ │ ├── win_security_hktl_nofilter.yml │ │ │ ├── win_security_hybridconnectionmgr_svc_installation.yml │ │ │ ├── win_security_impacket_psexec.yml │ │ │ ├── win_security_impacket_secretdump.yml │ │ │ ├── win_security_invoke_obfuscation_clip_services_security.yml │ │ │ ├── win_security_invoke_obfuscation_obfuscated_iex_services_security.yml │ │ │ ├── win_security_invoke_obfuscation_stdin_services_security.yml │ │ │ ├── win_security_invoke_obfuscation_var_services_security.yml │ │ │ ├── win_security_invoke_obfuscation_via_compress_services_security.yml │ │ │ ├── win_security_invoke_obfuscation_via_rundll_services_security.yml │ │ │ ├── win_security_invoke_obfuscation_via_stdin_services_security.yml │ │ │ ├── win_security_invoke_obfuscation_via_use_clip_services_security.yml │ │ │ ├── win_security_invoke_obfuscation_via_use_mshta_services_security.yml │ │ │ ├── win_security_invoke_obfuscation_via_use_rundll32_services_security.yml │ │ │ ├── win_security_invoke_obfuscation_via_var_services_security.yml │ │ │ ├── win_security_iso_mount.yml │ │ │ ├── win_security_kerberoasting_activity.yml │ │ │ ├── win_security_kerberos_asrep_roasting.yml │ │ │ ├── win_security_kerberos_coercion_via_dns_object.yml │ │ │ ├── win_security_lm_namedpipe.yml │ │ │ ├── win_security_lsass_access_non_system_account.yml │ │ │ ├── win_security_mal_creddumper.yml │ │ │ ├── win_security_mal_wceaux_dll.yml │ │ │ ├── win_security_metasploit_authentication.yml │ │ │ ├── win_security_metasploit_or_impacket_smb_psexec_service_install.yml │ │ │ ├── win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml │ │ │ ├── win_security_net_ntlm_downgrade.yml │ │ │ ├── win_security_net_share_obj_susp_desktop_ini.yml │ │ │ ├── win_security_new_or_renamed_user_account_with_dollar_sign.yml │ │ │ ├── win_security_not_allowed_rdp_access.yml │ │ │ ├── win_security_password_policy_enumerated.yml │ │ │ ├── win_security_pcap_drivers.yml │ │ │ ├── win_security_petitpotam_network_share.yml │ │ │ ├── win_security_petitpotam_susp_tgt_request.yml │ │ │ ├── win_security_possible_dc_shadow.yml │ │ │ ├── win_security_powershell_script_installed_as_service.yml │ │ │ ├── win_security_protected_storage_service_access.yml │ │ │ ├── win_security_rdp_reverse_tunnel.yml │ │ │ ├── win_security_register_new_logon_process_by_rubeus.yml │ │ │ ├── win_security_registry_permissions_weakness_check.yml │ │ │ ├── win_security_remote_powershell_session.yml │ │ │ ├── win_security_replay_attack_detected.yml │ │ │ ├── win_security_sam_registry_hive_handle_request.yml │ │ │ ├── win_security_scm_database_handle_failure.yml │ │ │ ├── win_security_scm_database_privileged_operation.yml │ │ │ ├── win_security_sdelete_potential_secure_deletion.yml │ │ │ ├── win_security_service_install_remote_access_software.yml │ │ │ ├── win_security_service_installation_by_unusal_client.yml │ │ │ ├── win_security_signal_sensitive_config_access.yml │ │ │ ├── win_security_smb_file_creation_admin_shares.yml │ │ │ ├── win_security_susp_add_domain_trust.yml │ │ │ ├── win_security_susp_add_sid_history.yml │ │ │ ├── win_security_susp_computer_name.yml │ │ │ ├── win_security_susp_dsrm_password_change.yml │ │ │ ├── win_security_susp_failed_logon_reasons.yml │ │ │ ├── win_security_susp_group_policy_abuse_privilege_addition.yml │ │ │ ├── win_security_susp_group_policy_startup_script_added_to_gpo.yml │ │ │ ├── win_security_susp_kerberos_manipulation.yml │ │ │ ├── win_security_susp_ldap_dataexchange.yml │ │ │ ├── win_security_susp_local_anon_logon_created.yml │ │ │ ├── win_security_susp_logon_explicit_credentials.yml │ │ │ ├── win_security_susp_lsass_dump.yml │ │ │ ├── win_security_susp_lsass_dump_generic.yml │ │ │ ├── win_security_susp_net_recon_activity.yml │ │ │ ├── win_security_susp_opened_encrypted_zip.yml │ │ │ ├── win_security_susp_opened_encrypted_zip_filename.yml │ │ │ ├── win_security_susp_opened_encrypted_zip_outlook.yml │ │ │ ├── win_security_susp_outbound_kerberos_connection.yml │ │ │ ├── win_security_susp_possible_shadow_credentials_added.yml │ │ │ ├── win_security_susp_psexec.yml │ │ │ ├── win_security_susp_raccess_sensitive_fext.yml │ │ │ ├── win_security_susp_rc4_kerberos.yml │ │ │ ├── win_security_susp_scheduled_task_creation.yml │ │ │ ├── win_security_susp_scheduled_task_delete_or_disable.yml │ │ │ ├── win_security_susp_scheduled_task_update.yml │ │ │ ├── win_security_susp_time_modification.yml │ │ │ ├── win_security_svcctl_remote_service.yml │ │ │ ├── win_security_syskey_registry_access.yml │ │ │ ├── win_security_sysmon_channel_reference_deletion.yml │ │ │ ├── win_security_tap_driver_installation.yml │ │ │ ├── win_security_teams_suspicious_objectaccess.yml │ │ │ ├── win_security_transf_files_with_cred_data_via_network_shares.yml │ │ │ ├── win_security_user_added_to_local_administrators.yml │ │ │ ├── win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml │ │ │ ├── win_security_user_creation.yml │ │ │ ├── win_security_user_driver_loaded.yml │ │ │ ├── win_security_user_logoff.yml │ │ │ ├── win_security_vssaudit_secevent_source_registration.yml │ │ │ ├── win_security_windows_defender_exclusions_registry_modified.yml │ │ │ ├── win_security_windows_defender_exclusions_write_access.yml │ │ │ ├── win_security_wmi_persistence.yml │ │ │ ├── win_security_wmiprvse_wbemcomn_dll_hijack.yml │ │ │ └── win_security_workstation_was_locked.yml │ │ ├── security_mitigations/ │ │ │ ├── win_security_mitigations_defender_load_unsigned_dll.yml │ │ │ └── win_security_mitigations_unsigned_dll_from_susp_location.yml │ │ ├── servicebus/ │ │ │ └── win_hybridconnectionmgr_svc_running.yml │ │ ├── shell_core/ │ │ │ └── win_shell_core_susp_packages_installed.yml │ │ ├── smbclient/ │ │ │ └── security/ │ │ │ └── win_smbclient_security_susp_failed_guest_logon.yml │ │ ├── smbserver/ │ │ │ └── connectivity/ │ │ │ └── win_smbserver_connectivity_unsigned_and_unencrypted_share_connection.yml │ │ ├── system/ │ │ │ ├── application_popup/ │ │ │ │ └── win_system_application_sysmon_crash.yml │ │ │ ├── lsasrv/ │ │ │ │ └── win_system_lsasrv_ntlmv1.yml │ │ │ ├── microsoft_windows_Iphlpsvc/ │ │ │ │ └── win_system_isatap_router_address_set.yml │ │ │ ├── microsoft_windows_certification_authority/ │ │ │ │ └── win_system_adcs_enrollment_request_denied.yml │ │ │ ├── microsoft_windows_dhcp_server/ │ │ │ │ ├── win_system_susp_dhcp_config.yml │ │ │ │ └── win_system_susp_dhcp_config_failed.yml │ │ │ ├── microsoft_windows_distributed_com/ │ │ │ │ └── win_system_lpe_indicators_tabtip.yml │ │ │ ├── microsoft_windows_eventlog/ │ │ │ │ ├── win_system_eventlog_cleared.yml │ │ │ │ └── win_system_susp_eventlog_cleared.yml │ │ │ ├── microsoft_windows_kerberos_key_distribution_center/ │ │ │ │ ├── win_system_kdcsvc_cert_use_no_strong_mapping.yml │ │ │ │ └── win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml │ │ │ ├── microsoft_windows_kernel_general/ │ │ │ │ └── win_system_susp_critical_hive_location_access_bits_cleared.yml │ │ │ ├── microsoft_windows_ntfs/ │ │ │ │ └── win_system_volume_shadow_copy_mount.yml │ │ │ ├── microsoft_windows_wer_systemerrorreporting/ │ │ │ │ └── win_system_crash_dump_created.yml │ │ │ ├── microsoft_windows_windows_update_client/ │ │ │ │ └── win_system_susp_system_update_error.yml │ │ │ ├── netlogon/ │ │ │ │ ├── win_system_possible_zerologon_exploitation_using_wellknown_tools.yml │ │ │ │ └── win_system_vul_cve_2020_1472.yml │ │ │ ├── ntfs/ │ │ │ │ └── win_system_ntfs_vuln_exploit.yml │ │ │ └── service_control_manager/ │ │ │ ├── win_system_cobaltstrike_service_installs.yml │ │ │ ├── win_system_defender_disabled.yml │ │ │ ├── win_system_hack_smbexec.yml │ │ │ ├── win_system_invoke_obfuscation_clip_services.yml │ │ │ ├── win_system_invoke_obfuscation_obfuscated_iex_services.yml │ │ │ ├── win_system_invoke_obfuscation_stdin_services.yml │ │ │ ├── win_system_invoke_obfuscation_var_services.yml │ │ │ ├── win_system_invoke_obfuscation_via_compress_services.yml │ │ │ ├── win_system_invoke_obfuscation_via_rundll_services.yml │ │ │ ├── win_system_invoke_obfuscation_via_stdin_services.yml │ │ │ ├── win_system_invoke_obfuscation_via_use_clip_services.yml │ │ │ ├── win_system_invoke_obfuscation_via_use_mshta_services.yml │ │ │ ├── win_system_invoke_obfuscation_via_use_rundll32_services.yml │ │ │ ├── win_system_invoke_obfuscation_via_var_services.yml │ │ │ ├── win_system_krbrelayup_service_installation.yml │ │ │ ├── win_system_mal_creddumper.yml │ │ │ ├── win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml │ │ │ ├── win_system_moriya_rootkit.yml │ │ │ ├── win_system_powershell_script_installed_as_service.yml │ │ │ ├── win_system_service_install_anydesk.yml │ │ │ ├── win_system_service_install_csexecsvc.yml │ │ │ ├── win_system_service_install_hacktools.yml │ │ │ ├── win_system_service_install_mesh_agent.yml │ │ │ ├── win_system_service_install_netsupport_manager.yml │ │ │ ├── win_system_service_install_paexec.yml │ │ │ ├── win_system_service_install_pdqdeploy.yml │ │ │ ├── win_system_service_install_pdqdeploy_runner.yml │ │ │ ├── win_system_service_install_pua_proceshacker.yml │ │ │ ├── win_system_service_install_remcom.yml │ │ │ ├── win_system_service_install_remote_access_software.yml │ │ │ ├── win_system_service_install_remote_utilities.yml │ │ │ ├── win_system_service_install_sliver.yml │ │ │ ├── win_system_service_install_sups_unusal_client.yml │ │ │ ├── win_system_service_install_susp.yml │ │ │ ├── win_system_service_install_sysinternals_psexec.yml │ │ │ ├── win_system_service_install_tacticalrmm.yml │ │ │ ├── win_system_service_install_tap_driver.yml │ │ │ ├── win_system_service_install_uncommon.yml │ │ │ ├── win_system_service_terminated_error_generic.yml │ │ │ ├── win_system_service_terminated_error_important.yml │ │ │ ├── win_system_service_terminated_unexpectedly.yml │ │ │ ├── win_system_susp_rtcore64_service_install.yml │ │ │ ├── win_system_susp_service_installation_folder.yml │ │ │ ├── win_system_susp_service_installation_folder_pattern.yml │ │ │ └── win_system_susp_service_installation_script.yml │ │ ├── taskscheduler/ │ │ │ ├── win_taskscheduler_execution_from_susp_locations.yml │ │ │ ├── win_taskscheduler_lolbin_execution_via_task_scheduler.yml │ │ │ └── win_taskscheduler_susp_schtasks_delete.yml │ │ ├── terminalservices/ │ │ │ └── win_terminalservices_rdp_ngrok.yml │ │ ├── win_alert_mimikatz_keywords.yml │ │ ├── windefend/ │ │ │ ├── win_defender_antimalware_platform_expired.yml │ │ │ ├── win_defender_asr_lsass_access.yml │ │ │ ├── win_defender_asr_psexec_wmi.yml │ │ │ ├── win_defender_config_change_exclusion_added.yml │ │ │ ├── win_defender_config_change_exploit_guard_tamper.yml │ │ │ ├── win_defender_config_change_sample_submission_consent.yml │ │ │ ├── win_defender_history_delete.yml │ │ │ ├── win_defender_malware_and_pua_scan_disabled.yml │ │ │ ├── win_defender_malware_detected_amsi_source.yml │ │ │ ├── win_defender_real_time_protection_disabled.yml │ │ │ ├── win_defender_real_time_protection_errors.yml │ │ │ ├── win_defender_restored_quarantine_file.yml │ │ │ ├── win_defender_suspicious_features_tampering.yml │ │ │ ├── win_defender_tamper_protection_trigger.yml │ │ │ ├── win_defender_threat.yml │ │ │ └── win_defender_virus_scan_disabled.yml │ │ └── wmi/ │ │ └── win_wmi_persistence.yml │ ├── create_remote_thread/ │ │ ├── create_remote_thread_win_hktl_cactustorch.yml │ │ ├── create_remote_thread_win_hktl_cobaltstrike.yml │ │ ├── create_remote_thread_win_keepass.yml │ │ ├── create_remote_thread_win_mstsc_susp_location.yml │ │ ├── create_remote_thread_win_powershell_lsass.yml │ │ ├── create_remote_thread_win_powershell_susp_targets.yml │ │ ├── create_remote_thread_win_susp_password_dumper_lsass.yml │ │ ├── create_remote_thread_win_susp_relevant_source_image.yml │ │ ├── create_remote_thread_win_susp_uncommon_source_image.yml │ │ ├── create_remote_thread_win_susp_uncommon_target_image.yml │ │ └── create_remote_thread_win_ttdinjec.yml │ ├── create_stream_hash/ │ │ ├── create_stream_hash_ads_executable.yml │ │ ├── create_stream_hash_creation_internet_file.yml │ │ ├── create_stream_hash_file_sharing_domains_download_susp_extension.yml │ │ ├── create_stream_hash_file_sharing_domains_download_unusual_extension.yml │ │ ├── create_stream_hash_hktl_generic_download.yml │ │ ├── create_stream_hash_regedit_export_to_ads.yml │ │ ├── create_stream_hash_susp_ip_domains.yml │ │ ├── create_stream_hash_winget_susp_package_source.yml │ │ └── create_stream_hash_zip_tld_download.yml │ ├── dns_query/ │ │ ├── dns_query_win_anonymfiles_com.yml │ │ ├── dns_query_win_appinstaller.yml │ │ ├── dns_query_win_cloudflared_communication.yml │ │ ├── dns_query_win_common_malware_hosting_services.yml │ │ ├── dns_query_win_devtunnels_communication.yml │ │ ├── dns_query_win_dns_server_discovery_via_ldap_query.yml │ │ ├── dns_query_win_domain_azurewebsites.yml │ │ ├── dns_query_win_finger.yml │ │ ├── dns_query_win_gup_query_to_uncommon_domains.yml │ │ ├── dns_query_win_hybridconnectionmgr_servicebus.yml │ │ ├── dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml │ │ ├── dns_query_win_mal_cobaltstrike.yml │ │ ├── dns_query_win_mega_nz.yml │ │ ├── dns_query_win_onelaunch_update_service.yml │ │ ├── dns_query_win_quickassist.yml │ │ ├── dns_query_win_regsvr32_dns_query.yml │ │ ├── dns_query_win_remote_access_software_domains_non_browsers.yml │ │ ├── dns_query_win_susp_external_ip_lookup.yml │ │ ├── dns_query_win_teamviewer_domain_query_by_uncommon_app.yml │ │ ├── dns_query_win_tor_onion_domain_query.yml │ │ ├── dns_query_win_ufile_io_query.yml │ │ └── dns_query_win_vscode_tunnel_communication.yml │ ├── driver_load/ │ │ ├── driver_load_win_mal_drivers.yml │ │ ├── driver_load_win_mal_drivers_names.yml │ │ ├── driver_load_win_pua_process_hacker.yml │ │ ├── driver_load_win_pua_system_informer.yml │ │ ├── driver_load_win_susp_temp_use.yml │ │ ├── driver_load_win_vuln_drivers.yml │ │ ├── driver_load_win_vuln_drivers_names.yml │ │ ├── driver_load_win_vuln_hevd_driver.yml │ │ ├── driver_load_win_vuln_winring0_driver.yml │ │ └── driver_load_win_windivert.yml │ ├── file/ │ │ ├── file_access/ │ │ │ ├── file_access_win_susp_credential_manager_access.yml │ │ │ ├── file_access_win_susp_credhist.yml │ │ │ ├── file_access_win_susp_crypto_currency_wallets.yml │ │ │ ├── file_access_win_susp_dpapi_master_key_access.yml │ │ │ ├── file_access_win_susp_gpo_files.yml │ │ │ ├── file_access_win_susp_process_access_browser_cred_files.yml │ │ │ └── file_access_win_teams_sensitive_files.yml │ │ ├── file_change/ │ │ │ └── file_change_win_unusual_modification_by_dns_exe.yml │ │ ├── file_delete/ │ │ │ ├── file_delete_win_delete_backup_file.yml │ │ │ ├── file_delete_win_delete_event_log_files.yml │ │ │ ├── file_delete_win_delete_exchange_powershell_logs.yml │ │ │ ├── file_delete_win_delete_iis_access_logs.yml │ │ │ ├── file_delete_win_delete_own_image.yml │ │ │ ├── file_delete_win_delete_powershell_command_history.yml │ │ │ ├── file_delete_win_delete_prefetch.yml │ │ │ ├── file_delete_win_delete_teamviewer_logs.yml │ │ │ ├── file_delete_win_delete_tomcat_logs.yml │ │ │ ├── file_delete_win_sysinternals_sdelete_file_deletion.yml │ │ │ ├── file_delete_win_unusual_deletion_by_dns_exe.yml │ │ │ └── file_delete_win_zone_identifier_ads_uncommon.yml │ │ ├── file_event/ │ │ │ ├── file_event_win_adsi_cache_creation_by_uncommon_tool.yml │ │ │ ├── file_event_win_advanced_ip_scanner.yml │ │ │ ├── file_event_win_anydesk_artefact.yml │ │ │ ├── file_event_win_anydesk_writing_susp_binaries.yml │ │ │ ├── file_event_win_arcsoc_susp_file_created.yml │ │ │ ├── file_event_win_aspnet_temp_files.yml │ │ │ ├── file_event_win_bloodhound_collection.yml │ │ │ ├── file_event_win_comodo_itsm_potentially_suspicious_file_creation.yml │ │ │ ├── file_event_win_create_evtx_non_common_locations.yml │ │ │ ├── file_event_win_create_non_existent_dlls.yml │ │ │ ├── file_event_win_creation_deno.yml │ │ │ ├── file_event_win_creation_new_shim_database.yml │ │ │ ├── file_event_win_creation_scr_binary_file.yml │ │ │ ├── file_event_win_creation_system_dll_files.yml │ │ │ ├── file_event_win_creation_system_file.yml │ │ │ ├── file_event_win_creation_unquoted_service_path.yml │ │ │ ├── file_event_win_cred_dump_tools_dropped_files.yml │ │ │ ├── file_event_win_cscript_wscript_dropper.yml │ │ │ ├── file_event_win_csexec_service.yml │ │ │ ├── file_event_win_csharp_compile_artefact.yml │ │ │ ├── file_event_win_dcom_iertutil_dll_hijack.yml │ │ │ ├── file_event_win_desktop_ini_created_by_uncommon_process.yml │ │ │ ├── file_event_win_dll_sideloading_space_path.yml │ │ │ ├── file_event_win_dump_file_susp_creation.yml │ │ │ ├── file_event_win_errorhandler_persistence.yml │ │ │ ├── file_event_win_exchange_webshell_drop.yml │ │ │ ├── file_event_win_exchange_webshell_drop_suspicious.yml │ │ │ ├── file_event_win_gotoopener_artefact.yml │ │ │ ├── file_event_win_gup_uncommon_file_creation.yml │ │ │ ├── file_event_win_hktl_crackmapexec_indicators.yml │ │ │ ├── file_event_win_hktl_dumpert.yml │ │ │ ├── file_event_win_hktl_hivenightmare_file_exports.yml │ │ │ ├── file_event_win_hktl_inveigh_artefacts.yml │ │ │ ├── file_event_win_hktl_krbrelay_remote_ioc.yml │ │ │ ├── file_event_win_hktl_mimikatz_files.yml │ │ │ ├── file_event_win_hktl_nppspy.yml │ │ │ ├── file_event_win_hktl_powerup_dllhijacking.yml │ │ │ ├── file_event_win_hktl_quarkspw_filedump.yml │ │ │ ├── file_event_win_hktl_remote_cred_dump.yml │ │ │ ├── file_event_win_hktl_safetykatz.yml │ │ │ ├── file_event_win_impacket_file_indicators.yml │ │ │ ├── file_event_win_initial_access_dll_search_order_hijacking.yml │ │ │ ├── file_event_win_install_teamviewer_desktop.yml │ │ │ ├── file_event_win_iphlpapi_dll_sideloading.yml │ │ │ ├── file_event_win_iso_file_mount.yml │ │ │ ├── file_event_win_iso_file_recent.yml │ │ │ ├── file_event_win_lolbin_gather_network_info_script_output.yml │ │ │ ├── file_event_win_lsass_default_dump_file_names.yml │ │ │ ├── file_event_win_lsass_shtinkering.yml │ │ │ ├── file_event_win_lsass_werfault_dump.yml │ │ │ ├── file_event_win_mal_adwind.yml │ │ │ ├── file_event_win_mal_octopus_scanner.yml │ │ │ ├── file_event_win_msdt_susp_directories.yml │ │ │ ├── file_event_win_mysqld_uncommon_file_creation.yml │ │ │ ├── file_event_win_net_cli_artefact.yml │ │ │ ├── file_event_win_new_files_in_uncommon_appdata_folder.yml │ │ │ ├── file_event_win_new_scr_file.yml │ │ │ ├── file_event_win_notepad_plus_plus_persistence.yml │ │ │ ├── file_event_win_ntds_dit_creation.yml │ │ │ ├── file_event_win_ntds_dit_uncommon_parent_process.yml │ │ │ ├── file_event_win_ntds_dit_uncommon_process.yml │ │ │ ├── file_event_win_ntds_exfil_tools.yml │ │ │ ├── file_event_win_office_addin_persistence.yml │ │ │ ├── file_event_win_office_macro_files_created.yml │ │ │ ├── file_event_win_office_macro_files_downloaded.yml │ │ │ ├── file_event_win_office_macro_files_from_susp_process.yml │ │ │ ├── file_event_win_office_onenote_files_in_susp_locations.yml │ │ │ ├── file_event_win_office_onenote_susp_dropped_files.yml │ │ │ ├── file_event_win_office_outlook_macro_creation.yml │ │ │ ├── file_event_win_office_outlook_newform.yml │ │ │ ├── file_event_win_office_outlook_susp_file_creation_in_temp_dir.yml │ │ │ ├── file_event_win_office_outlook_susp_macro_creation.yml │ │ │ ├── file_event_win_office_publisher_files_in_susp_locations.yml │ │ │ ├── file_event_win_office_startup_persistence.yml │ │ │ ├── file_event_win_office_susp_file_extension.yml │ │ │ ├── file_event_win_office_uncommon_file_startup.yml │ │ │ ├── file_event_win_pcre_net_temp_file.yml │ │ │ ├── file_event_win_perflogs_susp_files.yml │ │ │ ├── file_event_win_powershell_drop_binary_or_script.yml │ │ │ ├── file_event_win_powershell_drop_powershell.yml │ │ │ ├── file_event_win_powershell_exploit_scripts.yml │ │ │ ├── file_event_win_powershell_module_creation.yml │ │ │ ├── file_event_win_powershell_module_susp_creation.yml │ │ │ ├── file_event_win_powershell_module_uncommon_creation.yml │ │ │ ├── file_event_win_powershell_startup_shortcuts.yml │ │ │ ├── file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml │ │ │ ├── file_event_win_rclone_config_files.yml │ │ │ ├── file_event_win_rdp_file_susp_creation.yml │ │ │ ├── file_event_win_redmimicry_winnti_filedrop.yml │ │ │ ├── file_event_win_regedit_print_as_pdf.yml │ │ │ ├── file_event_win_remcom_service.yml │ │ │ ├── file_event_win_remote_access_tools_screenconnect_artefact.yml │ │ │ ├── file_event_win_remote_access_tools_screenconnect_remote_file.yml │ │ │ ├── file_event_win_ripzip_attack.yml │ │ │ ├── file_event_win_sam_dump.yml │ │ │ ├── file_event_win_sed_file_creation.yml │ │ │ ├── file_event_win_shell_write_susp_directory.yml │ │ │ ├── file_event_win_shell_write_susp_files_extensions.yml │ │ │ ├── file_event_win_startup_folder_file_write.yml │ │ │ ├── file_event_win_susp_colorcpl.yml │ │ │ ├── file_event_win_susp_creation_by_mobsync.yml │ │ │ ├── file_event_win_susp_default_gpo_dir_write.yml │ │ │ ├── file_event_win_susp_desktop_txt.yml │ │ │ ├── file_event_win_susp_desktopimgdownldr_file.yml │ │ │ ├── file_event_win_susp_diagcab.yml │ │ │ ├── file_event_win_susp_double_extension.yml │ │ │ ├── file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml │ │ │ ├── file_event_win_susp_exchange_aspx_write.yml │ │ │ ├── file_event_win_susp_executable_creation.yml │ │ │ ├── file_event_win_susp_file_write_in_webapps_root.yml │ │ │ ├── file_event_win_susp_filewrite_in_sharepoint_layouts_dir.yml │ │ │ ├── file_event_win_susp_get_variable.yml │ │ │ ├── file_event_win_susp_hidden_dir_index_allocation.yml │ │ │ ├── file_event_win_susp_homoglyph_filename.yml │ │ │ ├── file_event_win_susp_legitimate_app_dropping_archive.yml │ │ │ ├── file_event_win_susp_legitimate_app_dropping_exe.yml │ │ │ ├── file_event_win_susp_legitimate_app_dropping_in_uncommon_location.yml │ │ │ ├── file_event_win_susp_legitimate_app_dropping_script.yml │ │ │ ├── file_event_win_susp_lnk_double_extension.yml │ │ │ ├── file_event_win_susp_powershell_profile.yml │ │ │ ├── file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml │ │ │ ├── file_event_win_susp_public_folder_extension.yml │ │ │ ├── file_event_win_susp_recycle_bin_fake_exec.yml │ │ │ ├── file_event_win_susp_right_to_left_override_extension_spoofing.yml │ │ │ ├── file_event_win_susp_spool_drivers_color_drop.yml │ │ │ ├── file_event_win_susp_startup_folder_persistence.yml │ │ │ ├── file_event_win_susp_system_interactive_powershell.yml │ │ │ ├── file_event_win_susp_task_write.yml │ │ │ ├── file_event_win_susp_teamviewer_remote_session.yml │ │ │ ├── file_event_win_susp_vscode_powershell_profile.yml │ │ │ ├── file_event_win_susp_wdac_policy_creation.yml │ │ │ ├── file_event_win_susp_windows_terminal_profile.yml │ │ │ ├── file_event_win_susp_winsxs_binary_creation.yml │ │ │ ├── file_event_win_sysinternals_adexplorer_dump_written.yml │ │ │ ├── file_event_win_sysinternals_livekd_default_dump_name.yml │ │ │ ├── file_event_win_sysinternals_livekd_driver.yml │ │ │ ├── file_event_win_sysinternals_livekd_driver_susp_creation.yml │ │ │ ├── file_event_win_sysinternals_procexp_driver_susp_creation.yml │ │ │ ├── file_event_win_sysinternals_procmon_driver_susp_creation.yml │ │ │ ├── file_event_win_sysinternals_psexec_service.yml │ │ │ ├── file_event_win_sysinternals_psexec_service_key.yml │ │ │ ├── file_event_win_system32_local_folder_privilege_escalation.yml │ │ │ ├── file_event_win_taskmgr_lsass_dump.yml │ │ │ ├── file_event_win_tsclient_filewrite_startup.yml │ │ │ ├── file_event_win_uac_bypass_consent_comctl32.yml │ │ │ ├── file_event_win_uac_bypass_dotnet_profiler.yml │ │ │ ├── file_event_win_uac_bypass_eventvwr.yml │ │ │ ├── file_event_win_uac_bypass_idiagnostic_profile.yml │ │ │ ├── file_event_win_uac_bypass_ieinstal.yml │ │ │ ├── file_event_win_uac_bypass_msconfig_gui.yml │ │ │ ├── file_event_win_uac_bypass_ntfs_reparse_point.yml │ │ │ ├── file_event_win_uac_bypass_winsat.yml │ │ │ ├── file_event_win_uac_bypass_wmp.yml │ │ │ ├── file_event_win_vhd_download_via_browsers.yml │ │ │ ├── file_event_win_vscode_tunnel_remote_creation_artefacts.yml │ │ │ ├── file_event_win_vscode_tunnel_renamed_execution.yml │ │ │ ├── file_event_win_webshell_creation_detect.yml │ │ │ ├── file_event_win_werfault_dll_hijacking.yml │ │ │ ├── file_event_win_winrar_file_creation_in_startup_folder.yml │ │ │ ├── file_event_win_winrm_awl_bypass.yml │ │ │ ├── file_event_win_wmi_persistence_script_event_consumer_write.yml │ │ │ ├── file_event_win_wmiexec_default_filename.yml │ │ │ ├── file_event_win_wmiprvse_wbemcomn_dll_hijack.yml │ │ │ ├── file_event_win_wpbbin_persistence.yml │ │ │ └── file_event_win_writing_local_admin_share.yml │ │ ├── file_executable_detected/ │ │ │ └── file_executable_detected_win_susp_embeded_sed_file.yml │ │ └── file_rename/ │ │ └── file_rename_win_ransomware.yml │ ├── image_load/ │ │ ├── image_load_clfs_load.yml │ │ ├── image_load_cmstp_load_dll_from_susp_location.yml │ │ ├── image_load_dll_amsi_suspicious_process.yml │ │ ├── image_load_dll_azure_microsoft_account_token_provider_dll_load.yml │ │ ├── image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml │ │ ├── image_load_dll_credui_uncommon_process_load.yml │ │ ├── image_load_dll_dbghelp_dbgcore_unsigned_load.yml │ │ ├── image_load_dll_pcre_dotnet_dll_load.yml │ │ ├── image_load_dll_rstrtmgr_suspicious_load.yml │ │ ├── image_load_dll_rstrtmgr_uncommon_load.yml │ │ ├── image_load_dll_sdiageng_load_by_msdt.yml │ │ ├── image_load_dll_system_management_automation_susp_load.yml │ │ ├── image_load_dll_tttracer_module_load.yml │ │ ├── image_load_dll_unsigned_node_load.yml │ │ ├── image_load_dll_vss_ps_susp_load.yml │ │ ├── image_load_dll_vssapi_susp_load.yml │ │ ├── image_load_dll_vsstrace_susp_load.yml │ │ ├── image_load_hktl_sharpevtmute.yml │ │ ├── image_load_hktl_silenttrinity_stager.yml │ │ ├── image_load_iexplore_dcom_iertutil_dll_hijack.yml │ │ ├── image_load_lsass_unsigned_image_load.yml │ │ ├── image_load_office_dotnet_assembly_dll_load.yml │ │ ├── image_load_office_dotnet_clr_dll_load.yml │ │ ├── image_load_office_dotnet_gac_dll_load.yml │ │ ├── image_load_office_excel_xll_susp_load.yml │ │ ├── image_load_office_outlook_outlvba_load.yml │ │ ├── image_load_office_powershell_dll_load.yml │ │ ├── image_load_office_vbadll_load.yml │ │ ├── image_load_rundll32_remote_share_load.yml │ │ ├── image_load_scrcons_wmi_scripteventconsumer.yml │ │ ├── image_load_side_load_7za.yml │ │ ├── image_load_side_load_abused_dlls_susp_paths.yml │ │ ├── image_load_side_load_antivirus.yml │ │ ├── image_load_side_load_appverifui.yml │ │ ├── image_load_side_load_aruba_networks_virtual_intranet_access.yml │ │ ├── image_load_side_load_avkkid.yml │ │ ├── image_load_side_load_ccleaner_du.yml │ │ ├── image_load_side_load_ccleaner_reactivator.yml │ │ ├── image_load_side_load_chrome_frame_helper.yml │ │ ├── image_load_side_load_classicexplorer32.yml │ │ ├── image_load_side_load_comctl32.yml │ │ ├── image_load_side_load_coregen.yml │ │ ├── image_load_side_load_cpl_from_non_system_location.yml │ │ ├── image_load_side_load_dbgcore.yml │ │ ├── image_load_side_load_dbghelp.yml │ │ ├── image_load_side_load_dbgmodel.yml │ │ ├── image_load_side_load_eacore.yml │ │ ├── image_load_side_load_edputil.yml │ │ ├── image_load_side_load_from_non_system_location.yml │ │ ├── image_load_side_load_goopdate.yml │ │ ├── image_load_side_load_gup_libcurl.yml │ │ ├── image_load_side_load_iviewers.yml │ │ ├── image_load_side_load_jli.yml │ │ ├── image_load_side_load_jsschhlp.yml │ │ ├── image_load_side_load_keyscrambler.yml │ │ ├── image_load_side_load_libvlc.yml │ │ ├── image_load_side_load_mfdetours.yml │ │ ├── image_load_side_load_mfdetours_unsigned.yml │ │ ├── image_load_side_load_mpsvc.yml │ │ ├── image_load_side_load_mscorsvc.yml │ │ ├── image_load_side_load_non_existent_dlls.yml │ │ ├── image_load_side_load_office_dlls.yml │ │ ├── image_load_side_load_python.yml │ │ ├── image_load_side_load_rcdll.yml │ │ ├── image_load_side_load_rjvplatform_default_location.yml │ │ ├── image_load_side_load_rjvplatform_non_default_location.yml │ │ ├── image_load_side_load_robform.yml │ │ ├── image_load_side_load_shell_chrome_api.yml │ │ ├── image_load_side_load_shelldispatch.yml │ │ ├── image_load_side_load_smadhook.yml │ │ ├── image_load_side_load_solidpdfcreator.yml │ │ ├── image_load_side_load_third_party.yml │ │ ├── image_load_side_load_ualapi.yml │ │ ├── image_load_side_load_vivaldi_elf.yml │ │ ├── image_load_side_load_vmguestlib.yml │ │ ├── image_load_side_load_vmmap_dbghelp_signed.yml │ │ ├── image_load_side_load_vmmap_dbghelp_unsigned.yml │ │ ├── image_load_side_load_vmware_xfer.yml │ │ ├── image_load_side_load_waveedit.yml │ │ ├── image_load_side_load_wazuh.yml │ │ ├── image_load_side_load_windows_defender.yml │ │ ├── image_load_side_load_wwlib.yml │ │ ├── image_load_susp_baaupdate_dll_load.yml │ │ ├── image_load_susp_clickonce_unsigned_module_loaded.yml │ │ ├── image_load_susp_dll_load_system_process.yml │ │ ├── image_load_susp_python_image_load.yml │ │ ├── image_load_susp_script_dotnet_clr_dll_load.yml │ │ ├── image_load_susp_unsigned_dll.yml │ │ ├── image_load_thor_unsigned_execution.yml │ │ ├── image_load_uac_bypass_iscsicpl.yml │ │ ├── image_load_uac_bypass_via_dism.yml │ │ ├── image_load_win_mmc_loads_script_engine_dll.yml │ │ ├── image_load_win_susp_dbgcore_dbghelp_load.yml │ │ ├── image_load_win_trusted_path_bypass.yml │ │ ├── image_load_wmi_persistence_commandline_event_consumer.yml │ │ ├── image_load_wmic_remote_xsl_scripting_dlls.yml │ │ ├── image_load_wmiprvse_wbemcomn_dll_hijack.yml │ │ └── image_load_wsman_provider_image_load.yml │ ├── network_connection/ │ │ ├── net_connection_win_addinutil_initiated.yml │ │ ├── net_connection_win_adws_unusual_connection.yml │ │ ├── net_connection_win_certutil_initiated_connection.yml │ │ ├── net_connection_win_cmstp_initiated_connection.yml │ │ ├── net_connection_win_dialer_initiated_connection.yml │ │ ├── net_connection_win_domain_azurewebsites.yml │ │ ├── net_connection_win_domain_btunnels.yml │ │ ├── net_connection_win_domain_cloudflared_communication.yml │ │ ├── net_connection_win_domain_crypto_mining_pools.yml │ │ ├── net_connection_win_domain_dead_drop_resolvers.yml │ │ ├── net_connection_win_domain_devtunnels.yml │ │ ├── net_connection_win_domain_dropbox_api.yml │ │ ├── net_connection_win_domain_external_ip_lookup.yml │ │ ├── net_connection_win_domain_google_api_non_browser_access.yml │ │ ├── net_connection_win_domain_localtonet_tunnel.yml │ │ ├── net_connection_win_domain_mega_nz.yml │ │ ├── net_connection_win_domain_ngrok.yml │ │ ├── net_connection_win_domain_ngrok_tunnel.yml │ │ ├── net_connection_win_domain_notion_api_susp_communication.yml │ │ ├── net_connection_win_domain_portmap.yml │ │ ├── net_connection_win_domain_telegram_api_non_browser_access.yml │ │ ├── net_connection_win_domain_vscode_tunnel_connection.yml │ │ ├── net_connection_win_eqnedt.yml │ │ ├── net_connection_win_finger.yml │ │ ├── net_connection_win_imewdbld.yml │ │ ├── net_connection_win_notepad.yml │ │ ├── net_connection_win_office_outbound_non_local_ip.yml │ │ ├── net_connection_win_office_uncommon_ports.yml │ │ ├── net_connection_win_python.yml │ │ ├── net_connection_win_rdp_outbound_over_non_standard_tools.yml │ │ ├── net_connection_win_rdp_reverse_tunnel.yml │ │ ├── net_connection_win_rdp_to_http.yml │ │ ├── net_connection_win_regasm_network_activity.yml │ │ ├── net_connection_win_regsvr32_network_activity.yml │ │ ├── net_connection_win_remote_access_tools_anydesk_incoming_connection.yml │ │ ├── net_connection_win_rundll32_net_connections.yml │ │ ├── net_connection_win_silenttrinity_stager_msbuild_activity.yml │ │ ├── net_connection_win_susp_binary_no_cmdline.yml │ │ ├── net_connection_win_susp_file_sharing_domains_susp_folders.yml │ │ ├── net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml │ │ ├── net_connection_win_susp_malware_callback_port.yml │ │ ├── net_connection_win_susp_malware_callback_ports_uncommon.yml │ │ ├── net_connection_win_susp_outbound_kerberos_connection.yml │ │ ├── net_connection_win_susp_outbound_mobsync_connection.yml │ │ ├── net_connection_win_susp_outbound_smtp_connections.yml │ │ ├── net_connection_win_susp_remote_powershell_session.yml │ │ ├── net_connection_win_winlogon_net_connections.yml │ │ ├── net_connection_win_wordpad_uncommon_ports.yml │ │ ├── net_connection_win_wscript_cscript_local_connection.yml │ │ ├── net_connection_win_wscript_cscript_outbound_connection.yml │ │ └── net_connection_win_wuauclt_network_connection.yml │ ├── pipe_created/ │ │ ├── pipe_created_adfs_namedpipe_connection_uncommon_tool.yml │ │ ├── pipe_created_hktl_cobaltstrike.yml │ │ ├── pipe_created_hktl_cobaltstrike_re.yml │ │ ├── pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml │ │ ├── pipe_created_hktl_coercedpotato.yml │ │ ├── pipe_created_hktl_diagtrack_eop.yml │ │ ├── pipe_created_hktl_efspotato.yml │ │ ├── pipe_created_hktl_generic_cred_dump_tools_pipes.yml │ │ ├── pipe_created_hktl_koh_default_pipe.yml │ │ ├── pipe_created_powershell_alternate_host_pipe.yml │ │ ├── pipe_created_powershell_execution_pipe.yml │ │ ├── pipe_created_pua_csexec_default_pipe.yml │ │ ├── pipe_created_pua_paexec_default_pipe.yml │ │ ├── pipe_created_pua_remcom_default_pipe.yml │ │ ├── pipe_created_scrcons_wmi_consumer_namedpipe.yml │ │ ├── pipe_created_susp_malicious_namedpipes.yml │ │ └── pipe_created_sysinternals_psexec_default_pipe_susp_location.yml │ ├── powershell/ │ │ ├── powershell_classic/ │ │ │ ├── posh_pc_abuse_nslookup_with_dns_records.yml │ │ │ ├── posh_pc_delete_volume_shadow_copies.yml │ │ │ ├── posh_pc_downgrade_attack.yml │ │ │ ├── posh_pc_exe_calling_ps.yml │ │ │ ├── posh_pc_powercat.yml │ │ │ ├── posh_pc_remote_powershell_session.yml │ │ │ ├── posh_pc_remotefxvgpudisablement_abuse.yml │ │ │ ├── posh_pc_renamed_powershell.yml │ │ │ ├── posh_pc_susp_download.yml │ │ │ ├── posh_pc_susp_get_nettcpconnection.yml │ │ │ ├── posh_pc_susp_zip_compress.yml │ │ │ ├── posh_pc_tamper_windows_defender_set_mp.yml │ │ │ └── posh_pc_wsman_com_provider_no_powershell.yml │ │ ├── powershell_module/ │ │ │ ├── posh_pm_active_directory_module_dll_import.yml │ │ │ ├── posh_pm_alternate_powershell_hosts.yml │ │ │ ├── posh_pm_bad_opsec_artifacts.yml │ │ │ ├── posh_pm_clear_powershell_history.yml │ │ │ ├── posh_pm_decompress_commands.yml │ │ │ ├── posh_pm_exploit_scripts.yml │ │ │ ├── posh_pm_get_addbaccount.yml │ │ │ ├── posh_pm_get_clipboard.yml │ │ │ ├── posh_pm_hktl_evil_winrm_execution.yml │ │ │ ├── posh_pm_invoke_obfuscation_clip.yml │ │ │ ├── posh_pm_invoke_obfuscation_obfuscated_iex.yml │ │ │ ├── posh_pm_invoke_obfuscation_stdin.yml │ │ │ ├── posh_pm_invoke_obfuscation_var.yml │ │ │ ├── posh_pm_invoke_obfuscation_via_compress.yml │ │ │ ├── posh_pm_invoke_obfuscation_via_rundll.yml │ │ │ ├── posh_pm_invoke_obfuscation_via_stdin.yml │ │ │ ├── posh_pm_invoke_obfuscation_via_use_clip.yml │ │ │ ├── posh_pm_invoke_obfuscation_via_use_mhsta.yml │ │ │ ├── posh_pm_invoke_obfuscation_via_use_rundll32.yml │ │ │ ├── posh_pm_invoke_obfuscation_via_var.yml │ │ │ ├── posh_pm_malicious_commandlets.yml │ │ │ ├── posh_pm_remote_powershell_session.yml │ │ │ ├── posh_pm_remotefxvgpudisablement_abuse.yml │ │ │ ├── posh_pm_susp_ad_group_reco.yml │ │ │ ├── posh_pm_susp_download.yml │ │ │ ├── posh_pm_susp_get_nettcpconnection.yml │ │ │ ├── posh_pm_susp_invocation_generic.yml │ │ │ ├── posh_pm_susp_invocation_specific.yml │ │ │ ├── posh_pm_susp_local_group_reco.yml │ │ │ ├── posh_pm_susp_reset_computermachinepassword.yml │ │ │ ├── posh_pm_susp_smb_share_reco.yml │ │ │ ├── posh_pm_susp_zip_compress.yml │ │ │ └── posh_pm_syncappvpublishingserver_exe.yml │ │ └── powershell_script/ │ │ ├── posh_ps_aadinternals_cmdlets_execution.yml │ │ ├── posh_ps_access_to_browser_login_data.yml │ │ ├── posh_ps_active_directory_module_dll_import.yml │ │ ├── posh_ps_add_dnsclient_rule.yml │ │ ├── posh_ps_add_windows_capability.yml │ │ ├── posh_ps_adrecon_execution.yml │ │ ├── posh_ps_amsi_bypass_pattern_nov22.yml │ │ ├── posh_ps_amsi_null_bits_bypass.yml │ │ ├── posh_ps_apt_silence_eda.yml │ │ ├── posh_ps_as_rep_roasting.yml │ │ ├── posh_ps_audio_exfiltration.yml │ │ ├── posh_ps_automated_collection.yml │ │ ├── posh_ps_capture_screenshots.yml │ │ ├── posh_ps_clear_powershell_history.yml │ │ ├── posh_ps_clearing_windows_console_history.yml │ │ ├── posh_ps_cmdlet_scheduled_task.yml │ │ ├── posh_ps_computer_discovery_get_adcomputer.yml │ │ ├── posh_ps_copy_item_system_directory.yml │ │ ├── posh_ps_cor_profiler.yml │ │ ├── posh_ps_create_local_user.yml │ │ ├── posh_ps_create_volume_shadow_copy.yml │ │ ├── posh_ps_detect_vm_env.yml │ │ ├── posh_ps_directorysearcher.yml │ │ ├── posh_ps_directoryservices_accountmanagement.yml │ │ ├── posh_ps_disable_psreadline_command_history.yml │ │ ├── posh_ps_disable_windows_optional_feature.yml │ │ ├── posh_ps_dotnet_assembly_from_file.yml │ │ ├── posh_ps_download_com_cradles.yml │ │ ├── posh_ps_dsinternals_cmdlets.yml │ │ ├── posh_ps_dump_password_windows_credential_manager.yml │ │ ├── posh_ps_enable_psremoting.yml │ │ ├── posh_ps_enable_susp_windows_optional_feature.yml │ │ ├── posh_ps_enumerate_password_windows_credential_manager.yml │ │ ├── posh_ps_etw_trace_evasion.yml │ │ ├── posh_ps_export_certificate.yml │ │ ├── posh_ps_frombase64string_archive.yml │ │ ├── posh_ps_get_acl_service.yml │ │ ├── posh_ps_get_adcomputer.yml │ │ ├── posh_ps_get_adgroup.yml │ │ ├── posh_ps_get_adreplaccount.yml │ │ ├── posh_ps_get_childitem_bookmarks.yml │ │ ├── posh_ps_get_process_security_software_discovery.yml │ │ ├── posh_ps_hktl_rubeus.yml │ │ ├── posh_ps_hktl_winpwn.yml │ │ ├── posh_ps_hotfix_enum.yml │ │ ├── posh_ps_icmp_exfiltration.yml │ │ ├── posh_ps_import_module_susp_dirs.yml │ │ ├── posh_ps_install_unsigned_appx_packages.yml │ │ ├── posh_ps_invoke_command_remote.yml │ │ ├── posh_ps_invoke_dnsexfiltration.yml │ │ ├── posh_ps_invoke_obfuscation_clip.yml │ │ ├── posh_ps_invoke_obfuscation_obfuscated_iex.yml │ │ ├── posh_ps_invoke_obfuscation_stdin.yml │ │ ├── posh_ps_invoke_obfuscation_var.yml │ │ ├── posh_ps_invoke_obfuscation_via_compress.yml │ │ ├── posh_ps_invoke_obfuscation_via_rundll.yml │ │ ├── posh_ps_invoke_obfuscation_via_stdin.yml │ │ ├── posh_ps_invoke_obfuscation_via_use_clip.yml │ │ ├── posh_ps_invoke_obfuscation_via_use_mhsta.yml │ │ ├── posh_ps_invoke_obfuscation_via_use_rundll32.yml │ │ ├── posh_ps_invoke_obfuscation_via_var.yml │ │ ├── posh_ps_keylogging.yml │ │ ├── posh_ps_localuser.yml │ │ ├── posh_ps_mailboxexport_share.yml │ │ ├── posh_ps_malicious_commandlets.yml │ │ ├── posh_ps_malicious_keywords.yml │ │ ├── posh_ps_memorydump_getstoragediagnosticinfo.yml │ │ ├── posh_ps_modify_group_policy_settings.yml │ │ ├── posh_ps_msxml_com.yml │ │ ├── posh_ps_nishang_malicious_commandlets.yml │ │ ├── posh_ps_ntfs_ads_access.yml │ │ ├── posh_ps_office_comobject_registerxll.yml │ │ ├── posh_ps_packet_capture.yml │ │ ├── posh_ps_potential_invoke_mimikatz.yml │ │ ├── posh_ps_potential_unconstrained_delegation_discovery.yml │ │ ├── posh_ps_powershell_web_access_installation.yml │ │ ├── posh_ps_powerview_malicious_commandlets.yml │ │ ├── posh_ps_prompt_credentials.yml │ │ ├── posh_ps_psasyncshell.yml │ │ ├── posh_ps_psattack.yml │ │ ├── posh_ps_remote_session_creation.yml │ │ ├── posh_ps_remotefxvgpudisablement_abuse.yml │ │ ├── posh_ps_request_kerberos_ticket.yml │ │ ├── posh_ps_resolve_list_of_ip_from_file.yml │ │ ├── posh_ps_root_certificate_installed.yml │ │ ├── posh_ps_run_from_mount_diskimage.yml │ │ ├── posh_ps_script_with_upload_capabilities.yml │ │ ├── posh_ps_sensitive_file_discovery.yml │ │ ├── posh_ps_set_acl.yml │ │ ├── posh_ps_set_acl_susp_location.yml │ │ ├── posh_ps_set_policies_to_unsecure_level.yml │ │ ├── posh_ps_shellcode_b64.yml │ │ ├── posh_ps_shellintel_malicious_commandlets.yml │ │ ├── posh_ps_software_discovery.yml │ │ ├── posh_ps_store_file_in_alternate_data_stream.yml │ │ ├── posh_ps_susp_ace_tampering.yml │ │ ├── posh_ps_susp_ad_group_reco.yml │ │ ├── posh_ps_susp_alias_obfscuation.yml │ │ ├── posh_ps_susp_clear_eventlog.yml │ │ ├── posh_ps_susp_directory_enum.yml │ │ ├── posh_ps_susp_download.yml │ │ ├── posh_ps_susp_execute_batch_script.yml │ │ ├── posh_ps_susp_extracting.yml │ │ ├── posh_ps_susp_follina_execution.yml │ │ ├── posh_ps_susp_get_addefaultdomainpasswordpolicy.yml │ │ ├── posh_ps_susp_get_current_user.yml │ │ ├── posh_ps_susp_get_gpo.yml │ │ ├── posh_ps_susp_get_process.yml │ │ ├── posh_ps_susp_getprocess_lsass.yml │ │ ├── posh_ps_susp_gettypefromclsid.yml │ │ ├── posh_ps_susp_hyper_v_condlet.yml │ │ ├── posh_ps_susp_invocation_generic.yml │ │ ├── posh_ps_susp_invocation_specific.yml │ │ ├── posh_ps_susp_invoke_webrequest_useragent.yml │ │ ├── posh_ps_susp_iofilestream.yml │ │ ├── posh_ps_susp_keylogger_activity.yml │ │ ├── posh_ps_susp_keywords.yml │ │ ├── posh_ps_susp_local_group_reco.yml │ │ ├── posh_ps_susp_mail_acces.yml │ │ ├── posh_ps_susp_mount_diskimage.yml │ │ ├── posh_ps_susp_mounted_share_deletion.yml │ │ ├── posh_ps_susp_networkcredential.yml │ │ ├── posh_ps_susp_new_psdrive.yml │ │ ├── posh_ps_susp_proxy_scripts.yml │ │ ├── posh_ps_susp_recon_export.yml │ │ ├── posh_ps_susp_remove_adgroupmember.yml │ │ ├── posh_ps_susp_service_dacl_modification_set_service.yml │ │ ├── posh_ps_susp_set_alias.yml │ │ ├── posh_ps_susp_smb_share_reco.yml │ │ ├── posh_ps_susp_ssl_keyword.yml │ │ ├── posh_ps_susp_start_process.yml │ │ ├── posh_ps_susp_unblock_file.yml │ │ ├── posh_ps_susp_wallpaper.yml │ │ ├── posh_ps_susp_win32_pnpentity.yml │ │ ├── posh_ps_susp_win32_shadowcopy_deletion.yml │ │ ├── posh_ps_susp_windowstyle.yml │ │ ├── posh_ps_susp_write_eventlog.yml │ │ ├── posh_ps_susp_zip_compress.yml │ │ ├── posh_ps_syncappvpublishingserver_exe.yml │ │ ├── posh_ps_tamper_windows_defender_rem_mp.yml │ │ ├── posh_ps_tamper_windows_defender_set_mp.yml │ │ ├── posh_ps_test_netconnection.yml │ │ ├── posh_ps_timestomp.yml │ │ ├── posh_ps_user_discovery_get_aduser.yml │ │ ├── posh_ps_user_profile_tampering.yml │ │ ├── posh_ps_using_set_service_to_hide_services.yml │ │ ├── posh_ps_vbscript_registry_modification.yml │ │ ├── posh_ps_veeam_credential_dumping_script.yml │ │ ├── posh_ps_web_request_cmd_and_cmdlets.yml │ │ ├── posh_ps_win32_nteventlogfile_usage.yml │ │ ├── posh_ps_win32_product_install_msi.yml │ │ ├── posh_ps_win_api_susp_access.yml │ │ ├── posh_ps_win_defender_exclusions_added.yml │ │ ├── posh_ps_windows_firewall_profile_disabled.yml │ │ ├── posh_ps_winlogon_helper_dll.yml │ │ ├── posh_ps_wmi_persistence.yml │ │ ├── posh_ps_wmi_unquoted_service_search.yml │ │ ├── posh_ps_wmimplant.yml │ │ ├── posh_ps_x509enrollment.yml │ │ └── posh_ps_xml_iex.yml │ ├── process_access/ │ │ ├── proc_access_win_cmstp_execution_by_access.yml │ │ ├── proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml │ │ ├── proc_access_win_hktl_generic_access.yml │ │ ├── proc_access_win_hktl_handlekatz_lsass_access.yml │ │ ├── proc_access_win_hktl_littlecorporal_generated_maldoc.yml │ │ ├── proc_access_win_hktl_sysmonente.yml │ │ ├── proc_access_win_lsass_dump_comsvcs_dll.yml │ │ ├── proc_access_win_lsass_dump_keyword_image.yml │ │ ├── proc_access_win_lsass_memdump.yml │ │ ├── proc_access_win_lsass_python_based_tool.yml │ │ ├── proc_access_win_lsass_remote_access_trough_winrm.yml │ │ ├── proc_access_win_lsass_seclogon_access.yml │ │ ├── proc_access_win_lsass_susp_access_flag.yml │ │ ├── proc_access_win_lsass_werfault.yml │ │ ├── proc_access_win_lsass_whitelisted_process_names.yml │ │ ├── proc_access_win_susp_all_access_uncommon_target.yml │ │ ├── proc_access_win_susp_dbgcore_dbghelp_load.yml │ │ ├── proc_access_win_susp_direct_ntopenprocess_call.yml │ │ ├── proc_access_win_svchost_credential_dumping.yml │ │ ├── proc_access_win_svchost_susp_access_request.yml │ │ ├── proc_access_win_uac_bypass_editionupgrademanagerobj.yml │ │ ├── proc_access_win_uac_bypass_wow64_logger.yml │ │ └── proc_access_win_werfaultsecure_msmpeng_access.yml │ ├── process_creation/ │ │ ├── proc_creation_win_7zip_exfil_dmp_files.yml │ │ ├── proc_creation_win_7zip_password_compression.yml │ │ ├── proc_creation_win_acccheckconsole_execution.yml │ │ ├── proc_creation_win_addinutil_suspicious_cmdline.yml │ │ ├── proc_creation_win_addinutil_uncommon_child_process.yml │ │ ├── proc_creation_win_addinutil_uncommon_cmdline.yml │ │ ├── proc_creation_win_addinutil_uncommon_dir_exec.yml │ │ ├── proc_creation_win_adplus_memory_dump.yml │ │ ├── proc_creation_win_agentexecutor_potential_abuse.yml │ │ ├── proc_creation_win_agentexecutor_susp_usage.yml │ │ ├── proc_creation_win_amsi_registry_tampering.yml │ │ ├── proc_creation_win_appvlp_uncommon_child_process.yml │ │ ├── proc_creation_win_arcsoc_susp_child_process.yml │ │ ├── proc_creation_win_aspnet_compiler_exectuion.yml │ │ ├── proc_creation_win_aspnet_compiler_susp_child_process.yml │ │ ├── proc_creation_win_aspnet_compiler_susp_paths.yml │ │ ├── proc_creation_win_at_interactive_execution.yml │ │ ├── proc_creation_win_atbroker_uncommon_ats_execution.yml │ │ ├── proc_creation_win_attrib_hiding_files.yml │ │ ├── proc_creation_win_attrib_system_susp_paths.yml │ │ ├── proc_creation_win_auditpol_nt_resource_kit_usage.yml │ │ ├── proc_creation_win_auditpol_susp_execution.yml │ │ ├── proc_creation_win_autorun_registry_modified_via_wmic.yml │ │ ├── proc_creation_win_baaupdate_susp_child_process.yml │ │ ├── proc_creation_win_bash_command_execution.yml │ │ ├── proc_creation_win_bash_file_execution.yml │ │ ├── proc_creation_win_bcdedit_boot_conf_tamper.yml │ │ ├── proc_creation_win_bcdedit_susp_execution.yml │ │ ├── proc_creation_win_bcp_export_data.yml │ │ ├── proc_creation_win_bginfo_suspicious_child_process.yml │ │ ├── proc_creation_win_bginfo_uncommon_child_process.yml │ │ ├── proc_creation_win_bitlockertogo_execution.yml │ │ ├── proc_creation_win_bitsadmin_download.yml │ │ ├── proc_creation_win_bitsadmin_download_direct_ip.yml │ │ ├── proc_creation_win_bitsadmin_download_file_sharing_domains.yml │ │ ├── proc_creation_win_bitsadmin_download_susp_extensions.yml │ │ ├── proc_creation_win_bitsadmin_download_susp_targetfolder.yml │ │ ├── proc_creation_win_bitsadmin_potential_persistence.yml │ │ ├── proc_creation_win_browsers_chromium_headless_debugging.yml │ │ ├── proc_creation_win_browsers_chromium_headless_exec.yml │ │ ├── proc_creation_win_browsers_chromium_headless_file_download.yml │ │ ├── proc_creation_win_browsers_chromium_load_extension.yml │ │ ├── proc_creation_win_browsers_chromium_mockbin_abuse.yml │ │ ├── proc_creation_win_browsers_chromium_susp_load_extension.yml │ │ ├── proc_creation_win_browsers_inline_file_download.yml │ │ ├── proc_creation_win_browsers_remote_debugging.yml │ │ ├── proc_creation_win_browsers_tor_execution.yml │ │ ├── proc_creation_win_calc_uncommon_exec.yml │ │ ├── proc_creation_win_cdb_arbitrary_command_execution.yml │ │ ├── proc_creation_win_certmgr_certificate_installation.yml │ │ ├── proc_creation_win_certoc_download.yml │ │ ├── proc_creation_win_certoc_download_direct_ip.yml │ │ ├── proc_creation_win_certoc_load_dll.yml │ │ ├── proc_creation_win_certoc_load_dll_susp_locations.yml │ │ ├── proc_creation_win_certreq_download.yml │ │ ├── proc_creation_win_certutil_certificate_installation.yml │ │ ├── proc_creation_win_certutil_decode.yml │ │ ├── proc_creation_win_certutil_download.yml │ │ ├── proc_creation_win_certutil_download_direct_ip.yml │ │ ├── proc_creation_win_certutil_download_file_sharing_domains.yml │ │ ├── proc_creation_win_certutil_encode.yml │ │ ├── proc_creation_win_certutil_encode_susp_extensions.yml │ │ ├── proc_creation_win_certutil_encode_susp_location.yml │ │ ├── proc_creation_win_certutil_export_pfx.yml │ │ ├── proc_creation_win_certutil_ntlm_coercion.yml │ │ ├── proc_creation_win_chcp_codepage_lookup.yml │ │ ├── proc_creation_win_chcp_codepage_switch.yml │ │ ├── proc_creation_win_cipher_overwrite_deleted_data.yml │ │ ├── proc_creation_win_citrix_trolleyexpress_procdump.yml │ │ ├── proc_creation_win_clip_execution.yml │ │ ├── proc_creation_win_cloudflared_portable_execution.yml │ │ ├── proc_creation_win_cloudflared_quicktunnel_execution.yml │ │ ├── proc_creation_win_cloudflared_tunnel_cleanup.yml │ │ ├── proc_creation_win_cloudflared_tunnel_run.yml │ │ ├── proc_creation_win_cmd_assoc_execution.yml │ │ ├── proc_creation_win_cmd_assoc_tamper_exe_file_association.yml │ │ ├── proc_creation_win_cmd_copy_dmp_from_share.yml │ │ ├── proc_creation_win_cmd_curl_download_exec_combo.yml │ │ ├── proc_creation_win_cmd_del_execution.yml │ │ ├── proc_creation_win_cmd_del_greedy_deletion.yml │ │ ├── proc_creation_win_cmd_dir_execution.yml │ │ ├── proc_creation_win_cmd_dosfuscation.yml │ │ ├── proc_creation_win_cmd_http_appdata.yml │ │ ├── proc_creation_win_cmd_launched_with_hidden_start_flag.yml │ │ ├── proc_creation_win_cmd_mklink_osk_cmd.yml │ │ ├── proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml │ │ ├── proc_creation_win_cmd_net_use_and_exec_combo.yml │ │ ├── proc_creation_win_cmd_no_space_execution.yml │ │ ├── proc_creation_win_cmd_ntdllpipe_redirect.yml │ │ ├── proc_creation_win_cmd_path_traversal.yml │ │ ├── proc_creation_win_cmd_ping_copy_combined_execution.yml │ │ ├── proc_creation_win_cmd_ping_del_combined_execution.yml │ │ ├── proc_creation_win_cmd_redirection_susp_folder.yml │ │ ├── proc_creation_win_cmd_rmdir_execution.yml │ │ ├── proc_creation_win_cmd_shadowcopy_access.yml │ │ ├── proc_creation_win_cmd_stdin_redirect.yml │ │ ├── proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml │ │ ├── proc_creation_win_cmd_sticky_keys_replace.yml │ │ ├── proc_creation_win_cmd_type_arbitrary_file_download.yml │ │ ├── proc_creation_win_cmd_unusual_parent.yml │ │ ├── proc_creation_win_cmdkey_adding_generic_creds.yml │ │ ├── proc_creation_win_cmdkey_recon.yml │ │ ├── proc_creation_win_cmdl32_arbitrary_file_download.yml │ │ ├── proc_creation_win_cmstp_execution_by_creation.yml │ │ ├── proc_creation_win_comodo_ssh_shellhost_cmd_spawn.yml │ │ ├── proc_creation_win_configsecuritypolicy_download_file.yml │ │ ├── proc_creation_win_conhost_headless_powershell.yml │ │ ├── proc_creation_win_conhost_legacy_option.yml │ │ ├── proc_creation_win_conhost_path_traversal.yml │ │ ├── proc_creation_win_conhost_susp_child_process.yml │ │ ├── proc_creation_win_conhost_susp_winshell_child_process.yml │ │ ├── proc_creation_win_conhost_uncommon_parent.yml │ │ ├── proc_creation_win_control_panel_item.yml │ │ ├── proc_creation_win_createdump_lolbin_execution.yml │ │ ├── proc_creation_win_credential_guard_registry_tampering.yml │ │ ├── proc_creation_win_csc_susp_dynamic_compilation.yml │ │ ├── proc_creation_win_csc_susp_parent.yml │ │ ├── proc_creation_win_csi_execution.yml │ │ ├── proc_creation_win_csi_use_of_csharp_console.yml │ │ ├── proc_creation_win_csvde_export.yml │ │ ├── proc_creation_win_curl_cookie_hijacking.yml │ │ ├── proc_creation_win_curl_custom_user_agent.yml │ │ ├── proc_creation_win_curl_download_direct_ip_exec.yml │ │ ├── proc_creation_win_curl_download_direct_ip_susp_extensions.yml │ │ ├── proc_creation_win_curl_download_susp_file_sharing_domains.yml │ │ ├── proc_creation_win_curl_insecure_connection.yml │ │ ├── proc_creation_win_curl_insecure_proxy_or_doh.yml │ │ ├── proc_creation_win_curl_local_file_read.yml │ │ ├── proc_creation_win_curl_susp_download.yml │ │ ├── proc_creation_win_customshellhost_susp_exec.yml │ │ ├── proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml │ │ ├── proc_creation_win_defaultpack_uncommon_child_process.yml │ │ ├── proc_creation_win_defender_default_action_modified.yml │ │ ├── proc_creation_win_defender_remove_context_menu.yml │ │ ├── proc_creation_win_desktopimgdownldr_remote_file_download.yml │ │ ├── proc_creation_win_desktopimgdownldr_susp_execution.yml │ │ ├── proc_creation_win_devcon_disable_vmci_driver.yml │ │ ├── proc_creation_win_device_credential_deployment.yml │ │ ├── proc_creation_win_deviceenroller_dll_sideloading.yml │ │ ├── proc_creation_win_devinit_lolbin_usage.yml │ │ ├── proc_creation_win_dfsvc_suspicious_child_processes.yml │ │ ├── proc_creation_win_dirlister_execution.yml │ │ ├── proc_creation_win_discovery_via_reg_queries.yml │ │ ├── proc_creation_win_diskshadow_child_process_susp.yml │ │ ├── proc_creation_win_diskshadow_script_mode_susp_ext.yml │ │ ├── proc_creation_win_diskshadow_script_mode_susp_location.yml │ │ ├── proc_creation_win_dism_enable_powershell_web_access_feature.yml │ │ ├── proc_creation_win_dism_remove.yml │ │ ├── proc_creation_win_dll_sideload_vmware_xfer.yml │ │ ├── proc_creation_win_dllhost_no_cli_execution.yml │ │ ├── proc_creation_win_dns_exfiltration_tools_execution.yml │ │ ├── proc_creation_win_dns_susp_child_process.yml │ │ ├── proc_creation_win_dnscmd_discovery.yml │ │ ├── proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml │ │ ├── proc_creation_win_dnx_execute_csharp_code.yml │ │ ├── proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml │ │ ├── proc_creation_win_dotnet_trace_lolbin_execution.yml │ │ ├── proc_creation_win_dotnetdump_memory_dump.yml │ │ ├── proc_creation_win_driverquery_recon.yml │ │ ├── proc_creation_win_driverquery_usage.yml │ │ ├── proc_creation_win_dsacls_abuse_permissions.yml │ │ ├── proc_creation_win_dsacls_password_spray.yml │ │ ├── proc_creation_win_dsquery_domain_trust_discovery.yml │ │ ├── proc_creation_win_dtrace_kernel_dump.yml │ │ ├── proc_creation_win_dump64_defender_av_bypass_rename.yml │ │ ├── proc_creation_win_dumpminitool_execution.yml │ │ ├── proc_creation_win_dumpminitool_susp_execution.yml │ │ ├── proc_creation_win_dxcap_arbitrary_binary_execution.yml │ │ ├── proc_creation_win_esentutl_params.yml │ │ ├── proc_creation_win_esentutl_sensitive_file_copy.yml │ │ ├── proc_creation_win_esentutl_webcache.yml │ │ ├── proc_creation_win_event_logging_disable_via_key_minint.yml │ │ ├── proc_creation_win_eventvwr_susp_child_process.yml │ │ ├── proc_creation_win_expand_cabinet_files.yml │ │ ├── proc_creation_win_explorer_break_process_tree.yml │ │ ├── proc_creation_win_explorer_folder_shortcut_via_shell_binary.yml │ │ ├── proc_creation_win_explorer_nouaccheck.yml │ │ ├── proc_creation_win_findstr_download.yml │ │ ├── proc_creation_win_findstr_gpp_passwords.yml │ │ ├── proc_creation_win_findstr_lnk.yml │ │ ├── proc_creation_win_findstr_lsass.yml │ │ ├── proc_creation_win_findstr_recon_everyone.yml │ │ ├── proc_creation_win_findstr_recon_pipe_output.yml │ │ ├── proc_creation_win_findstr_security_keyword_lookup.yml │ │ ├── proc_creation_win_findstr_subfolder_search.yml │ │ ├── proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml │ │ ├── proc_creation_win_finger_execution.yml │ │ ├── proc_creation_win_fltmc_unload_driver.yml │ │ ├── proc_creation_win_fltmc_unload_driver_sysmon.yml │ │ ├── proc_creation_win_forfiles_child_process_masquerading.yml │ │ ├── proc_creation_win_forfiles_proxy_execution_.yml │ │ ├── proc_creation_win_format_uncommon_filesystem_load.yml │ │ ├── proc_creation_win_fsi_fsharp_code_execution.yml │ │ ├── proc_creation_win_fsutil_drive_enumeration.yml │ │ ├── proc_creation_win_fsutil_symlinkevaluation.yml │ │ ├── proc_creation_win_fsutil_usage.yml │ │ ├── proc_creation_win_ftp_arbitrary_command_execution.yml │ │ ├── proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml │ │ ├── proc_creation_win_git_susp_clone.yml │ │ ├── proc_creation_win_github_self_hosted_runner.yml │ │ ├── proc_creation_win_googleupdate_susp_child_process.yml │ │ ├── proc_creation_win_gpg4win_decryption.yml │ │ ├── proc_creation_win_gpg4win_encryption.yml │ │ ├── proc_creation_win_gpg4win_portable_execution.yml │ │ ├── proc_creation_win_gpg4win_susp_location.yml │ │ ├── proc_creation_win_gpresult_execution.yml │ │ ├── proc_creation_win_gup_arbitrary_binary_execution.yml │ │ ├── proc_creation_win_gup_download.yml │ │ ├── proc_creation_win_gup_susp_child_process.yml │ │ ├── proc_creation_win_gup_suspicious_execution.yml │ │ ├── proc_creation_win_hh_chm_execution.yml │ │ ├── proc_creation_win_hh_chm_remote_download_or_execution.yml │ │ ├── proc_creation_win_hh_html_help_susp_child_process.yml │ │ ├── proc_creation_win_hh_susp_execution.yml │ │ ├── proc_creation_win_hktl_adcspwn.yml │ │ ├── proc_creation_win_hktl_bloodhound_sharphound.yml │ │ ├── proc_creation_win_hktl_c3_rundll32_pattern.yml │ │ ├── proc_creation_win_hktl_certify.yml │ │ ├── proc_creation_win_hktl_certipy.yml │ │ ├── proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml │ │ ├── proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml │ │ ├── proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml │ │ ├── proc_creation_win_hktl_cobaltstrike_process_patterns.yml │ │ ├── proc_creation_win_hktl_coercedpotato.yml │ │ ├── proc_creation_win_hktl_covenant.yml │ │ ├── proc_creation_win_hktl_crackmapexec_execution.yml │ │ ├── proc_creation_win_hktl_crackmapexec_execution_patterns.yml │ │ ├── proc_creation_win_hktl_crackmapexec_patterns.yml │ │ ├── proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml │ │ ├── proc_creation_win_hktl_createminidump.yml │ │ ├── proc_creation_win_hktl_dinjector.yml │ │ ├── proc_creation_win_hktl_doppelganger.yml │ │ ├── proc_creation_win_hktl_dumpert.yml │ │ ├── proc_creation_win_hktl_edr_freeze.yml │ │ ├── proc_creation_win_hktl_edrsilencer.yml │ │ ├── proc_creation_win_hktl_empire_powershell_launch.yml │ │ ├── proc_creation_win_hktl_empire_powershell_uac_bypass.yml │ │ ├── proc_creation_win_hktl_evil_winrm.yml │ │ ├── proc_creation_win_hktl_execution_via_imphashes.yml │ │ ├── proc_creation_win_hktl_execution_via_pe_metadata.yml │ │ ├── proc_creation_win_hktl_gmer.yml │ │ ├── proc_creation_win_hktl_handlekatz.yml │ │ ├── proc_creation_win_hktl_hashcat.yml │ │ ├── proc_creation_win_hktl_hollowreaper.yml │ │ ├── proc_creation_win_hktl_htran_or_natbypass.yml │ │ ├── proc_creation_win_hktl_hydra.yml │ │ ├── proc_creation_win_hktl_impacket_lateral_movement.yml │ │ ├── proc_creation_win_hktl_impacket_tools.yml │ │ ├── proc_creation_win_hktl_impersonate.yml │ │ ├── proc_creation_win_hktl_inveigh.yml │ │ ├── proc_creation_win_hktl_invoke_obfuscation_clip.yml │ │ ├── proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml │ │ ├── proc_creation_win_hktl_invoke_obfuscation_stdin.yml │ │ ├── proc_creation_win_hktl_invoke_obfuscation_var.yml │ │ ├── proc_creation_win_hktl_invoke_obfuscation_via_compress.yml │ │ ├── proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml │ │ ├── proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml │ │ ├── proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml │ │ ├── proc_creation_win_hktl_invoke_obfuscation_via_var.yml │ │ ├── proc_creation_win_hktl_jlaive_batch_execution.yml │ │ ├── proc_creation_win_hktl_koadic.yml │ │ ├── proc_creation_win_hktl_krbrelay.yml │ │ ├── proc_creation_win_hktl_krbrelay_remote.yml │ │ ├── proc_creation_win_hktl_krbrelayup.yml │ │ ├── proc_creation_win_hktl_lazagne.yml │ │ ├── proc_creation_win_hktl_localpotato.yml │ │ ├── proc_creation_win_hktl_meterpreter_getsystem.yml │ │ ├── proc_creation_win_hktl_mimikatz_command_line.yml │ │ ├── proc_creation_win_hktl_pchunter.yml │ │ ├── proc_creation_win_hktl_powersploit_empire_default_schtasks.yml │ │ ├── proc_creation_win_hktl_powertool.yml │ │ ├── proc_creation_win_hktl_purplesharp_indicators.yml │ │ ├── proc_creation_win_hktl_pypykatz.yml │ │ ├── proc_creation_win_hktl_quarks_pwdump.yml │ │ ├── proc_creation_win_hktl_redmimicry_winnti_playbook.yml │ │ ├── proc_creation_win_hktl_relay_attacks_tools.yml │ │ ├── proc_creation_win_hktl_rubeus.yml │ │ ├── proc_creation_win_hktl_safetykatz.yml │ │ ├── proc_creation_win_hktl_secutyxploded.yml │ │ ├── proc_creation_win_hktl_selectmyparent.yml │ │ ├── proc_creation_win_hktl_sharp_chisel.yml │ │ ├── proc_creation_win_hktl_sharp_dpapi_execution.yml │ │ ├── proc_creation_win_hktl_sharp_impersonation.yml │ │ ├── proc_creation_win_hktl_sharp_ldap_monitor.yml │ │ ├── proc_creation_win_hktl_sharpersist.yml │ │ ├── proc_creation_win_hktl_sharpevtmute.yml │ │ ├── proc_creation_win_hktl_sharpldapwhoami.yml │ │ ├── proc_creation_win_hktl_sharpmove.yml │ │ ├── proc_creation_win_hktl_sharpsuccessor_execution.yml │ │ ├── proc_creation_win_hktl_sharpup.yml │ │ ├── proc_creation_win_hktl_sharpview.yml │ │ ├── proc_creation_win_hktl_sharpwsus_wsuspendu_execution.yml │ │ ├── proc_creation_win_hktl_silenttrinity_stager.yml │ │ ├── proc_creation_win_hktl_sliver_c2_execution_pattern.yml │ │ ├── proc_creation_win_hktl_soaphound_execution.yml │ │ ├── proc_creation_win_hktl_stracciatella_execution.yml │ │ ├── proc_creation_win_hktl_sysmoneop.yml │ │ ├── proc_creation_win_hktl_trufflesnout.yml │ │ ├── proc_creation_win_hktl_uacme.yml │ │ ├── proc_creation_win_hktl_wce.yml │ │ ├── proc_creation_win_hktl_winpeas.yml │ │ ├── proc_creation_win_hktl_winpwn.yml │ │ ├── proc_creation_win_hktl_wmiexec_default_powershell.yml │ │ ├── proc_creation_win_hktl_wsass.yml │ │ ├── proc_creation_win_hktl_xordump.yml │ │ ├── proc_creation_win_hktl_zipexec.yml │ │ ├── proc_creation_win_hostname_execution.yml │ │ ├── proc_creation_win_hvci_registry_tampering.yml │ │ ├── proc_creation_win_hwp_exploits.yml │ │ ├── proc_creation_win_hxtsr_masquerading.yml │ │ ├── proc_creation_win_icacls_deny.yml │ │ ├── proc_creation_win_ieexec_download.yml │ │ ├── proc_creation_win_iexpress_susp_execution.yml │ │ ├── proc_creation_win_iis_appcmd_http_logging.yml │ │ ├── proc_creation_win_iis_appcmd_service_account_password_dumped.yml │ │ ├── proc_creation_win_iis_appcmd_susp_module_install.yml │ │ ├── proc_creation_win_iis_appcmd_susp_rewrite_rule.yml │ │ ├── proc_creation_win_iis_connection_strings_decryption.yml │ │ ├── proc_creation_win_iis_logs_deletion.yml │ │ ├── proc_creation_win_iis_susp_module_registration.yml │ │ ├── proc_creation_win_ilasm_il_code_compilation.yml │ │ ├── proc_creation_win_imagingdevices_unusual_parents.yml │ │ ├── proc_creation_win_imewbdld_download.yml │ │ ├── proc_creation_win_infdefaultinstall_execute_sct_scripts.yml │ │ ├── proc_creation_win_installutil_download.yml │ │ ├── proc_creation_win_instalutil_no_log_execution.yml │ │ ├── proc_creation_win_java_keytool_susp_child_process.yml │ │ ├── proc_creation_win_java_manageengine_susp_child_process.yml │ │ ├── proc_creation_win_java_remote_debugging.yml │ │ ├── proc_creation_win_java_susp_child_process.yml │ │ ├── proc_creation_win_java_susp_child_process_2.yml │ │ ├── proc_creation_win_java_sysaidserver_susp_child_process.yml │ │ ├── proc_creation_win_jsc_execution.yml │ │ ├── proc_creation_win_kavremover_uncommon_execution.yml │ │ ├── proc_creation_win_kd_execution.yml │ │ ├── proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml │ │ ├── proc_creation_win_keyscrambler_susp_child_process.yml │ │ ├── proc_creation_win_ksetup_password_change_computer.yml │ │ ├── proc_creation_win_ksetup_password_change_user.yml │ │ ├── proc_creation_win_ldifde_export.yml │ │ ├── proc_creation_win_ldifde_file_load.yml │ │ ├── proc_creation_win_link_uncommon_parent_process.yml │ │ ├── proc_creation_win_lodctr_performance_counter_tampering.yml │ │ ├── proc_creation_win_logman_disable_eventlog.yml │ │ ├── proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml │ │ ├── proc_creation_win_lolbin_devtoolslauncher.yml │ │ ├── proc_creation_win_lolbin_diantz_ads.yml │ │ ├── proc_creation_win_lolbin_diantz_remote_cab.yml │ │ ├── proc_creation_win_lolbin_extrac32.yml │ │ ├── proc_creation_win_lolbin_extrac32_ads.yml │ │ ├── proc_creation_win_lolbin_gather_network_info.yml │ │ ├── proc_creation_win_lolbin_gpscript.yml │ │ ├── proc_creation_win_lolbin_ie4uinit.yml │ │ ├── proc_creation_win_lolbin_launch_vsdevshell.yml │ │ ├── proc_creation_win_lolbin_manage_bde.yml │ │ ├── proc_creation_win_lolbin_mavinject_process_injection.yml │ │ ├── proc_creation_win_lolbin_mpiexec.yml │ │ ├── proc_creation_win_lolbin_msdeploy.yml │ │ ├── proc_creation_win_lolbin_openconsole.yml │ │ ├── proc_creation_win_lolbin_openwith.yml │ │ ├── proc_creation_win_lolbin_pcalua.yml │ │ ├── proc_creation_win_lolbin_pcwrun.yml │ │ ├── proc_creation_win_lolbin_pcwrun_follina.yml │ │ ├── proc_creation_win_lolbin_pcwutl.yml │ │ ├── proc_creation_win_lolbin_pester.yml │ │ ├── proc_creation_win_lolbin_pester_1.yml │ │ ├── proc_creation_win_lolbin_printbrm.yml │ │ ├── proc_creation_win_lolbin_pubprn.yml │ │ ├── proc_creation_win_lolbin_rasautou_dll_execution.yml │ │ ├── proc_creation_win_lolbin_register_app.yml │ │ ├── proc_creation_win_lolbin_remote.yml │ │ ├── proc_creation_win_lolbin_replace.yml │ │ ├── proc_creation_win_lolbin_runexehelper.yml │ │ ├── proc_creation_win_lolbin_runscripthelper.yml │ │ ├── proc_creation_win_lolbin_scriptrunner.yml │ │ ├── proc_creation_win_lolbin_settingsynchost.yml │ │ ├── proc_creation_win_lolbin_sftp.yml │ │ ├── proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml │ │ ├── proc_creation_win_lolbin_susp_grpconv.yml │ │ ├── proc_creation_win_lolbin_susp_sqldumper_activity.yml │ │ ├── proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml │ │ ├── proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml │ │ ├── proc_creation_win_lolbin_tracker.yml │ │ ├── proc_creation_win_lolbin_ttdinject.yml │ │ ├── proc_creation_win_lolbin_tttracer_mod_load.yml │ │ ├── proc_creation_win_lolbin_unregmp2.yml │ │ ├── proc_creation_win_lolbin_utilityfunctions.yml │ │ ├── proc_creation_win_lolbin_visual_basic_compiler.yml │ │ ├── proc_creation_win_lolbin_visualuiaverifynative.yml │ │ ├── proc_creation_win_lolbin_vsiisexelauncher.yml │ │ ├── proc_creation_win_lolbin_wfc.yml │ │ ├── proc_creation_win_lolscript_register_app.yml │ │ ├── proc_creation_win_lsass_process_clone.yml │ │ ├── proc_creation_win_mftrace_child_process.yml │ │ ├── proc_creation_win_mmc_default_domain_gpo_modification_via_gpme.yml │ │ ├── proc_creation_win_mmc_mmc20_lateral_movement.yml │ │ ├── proc_creation_win_mmc_rlo_abuse_pattern.yml │ │ ├── proc_creation_win_mmc_susp_child_process.yml │ │ ├── proc_creation_win_mode_codepage_russian.yml │ │ ├── proc_creation_win_mofcomp_execution.yml │ │ ├── proc_creation_win_mpcmdrun_dll_sideload_defender.yml │ │ ├── proc_creation_win_mpcmdrun_download_arbitrary_file.yml │ │ ├── proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml │ │ ├── proc_creation_win_msbuild_susp_parent_process.yml │ │ ├── proc_creation_win_msdt_answer_file_exec.yml │ │ ├── proc_creation_win_msdt_arbitrary_command_execution.yml │ │ ├── proc_creation_win_msdt_susp_cab_options.yml │ │ ├── proc_creation_win_msdt_susp_parent.yml │ │ ├── proc_creation_win_msedge_proxy_download.yml │ │ ├── proc_creation_win_mshta_http.yml │ │ ├── proc_creation_win_mshta_inline_vbscript.yml │ │ ├── proc_creation_win_mshta_javascript.yml │ │ ├── proc_creation_win_mshta_lethalhta_technique.yml │ │ ├── proc_creation_win_mshta_susp_child_processes.yml │ │ ├── proc_creation_win_mshta_susp_execution.yml │ │ ├── proc_creation_win_mshta_susp_pattern.yml │ │ ├── proc_creation_win_msiexec_dll.yml │ │ ├── proc_creation_win_msiexec_embedding.yml │ │ ├── proc_creation_win_msiexec_execute_dll.yml │ │ ├── proc_creation_win_msiexec_install_quiet.yml │ │ ├── proc_creation_win_msiexec_install_remote.yml │ │ ├── proc_creation_win_msiexec_masquerading.yml │ │ ├── proc_creation_win_msiexec_web_install.yml │ │ ├── proc_creation_win_msix_ai_stub_execution.yml │ │ ├── proc_creation_win_msohtmed_download.yml │ │ ├── proc_creation_win_mspub_download.yml │ │ ├── proc_creation_win_msra_process_injection.yml │ │ ├── proc_creation_win_mssql_sqlps_susp_execution.yml │ │ ├── proc_creation_win_mssql_sqltoolsps_susp_execution.yml │ │ ├── proc_creation_win_mssql_susp_child_process.yml │ │ ├── proc_creation_win_mssql_veaam_susp_child_processes.yml │ │ ├── proc_creation_win_mstsc_rdp_hijack_shadowing.yml │ │ ├── proc_creation_win_mstsc_remote_connection.yml │ │ ├── proc_creation_win_mstsc_run_local_rdp_file.yml │ │ ├── proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml │ │ ├── proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml │ │ ├── proc_creation_win_msxsl_execution.yml │ │ ├── proc_creation_win_msxsl_remote_execution.yml │ │ ├── proc_creation_win_net_groups_and_accounts_recon.yml │ │ ├── proc_creation_win_net_share_unmount.yml │ │ ├── proc_creation_win_net_start_service.yml │ │ ├── proc_creation_win_net_stop_service.yml │ │ ├── proc_creation_win_net_use_mount_admin_share.yml │ │ ├── proc_creation_win_net_use_mount_internet_share.yml │ │ ├── proc_creation_win_net_use_mount_share.yml │ │ ├── proc_creation_win_net_use_network_connections_discovery.yml │ │ ├── proc_creation_win_net_use_password_plaintext.yml │ │ ├── proc_creation_win_net_user_add.yml │ │ ├── proc_creation_win_net_user_add_never_expire.yml │ │ ├── proc_creation_win_net_user_default_accounts_manipulation.yml │ │ ├── proc_creation_win_net_view_share_and_sessions_enum.yml │ │ ├── proc_creation_win_netsh_fw_add_rule.yml │ │ ├── proc_creation_win_netsh_fw_allow_program_in_susp_location.yml │ │ ├── proc_creation_win_netsh_fw_allow_rdp.yml │ │ ├── proc_creation_win_netsh_fw_delete_rule.yml │ │ ├── proc_creation_win_netsh_fw_disable.yml │ │ ├── proc_creation_win_netsh_fw_enable_group_rule.yml │ │ ├── proc_creation_win_netsh_fw_rules_discovery.yml │ │ ├── proc_creation_win_netsh_fw_set_rule.yml │ │ ├── proc_creation_win_netsh_helper_dll_persistence.yml │ │ ├── proc_creation_win_netsh_packet_capture.yml │ │ ├── proc_creation_win_netsh_port_forwarding.yml │ │ ├── proc_creation_win_netsh_port_forwarding_3389.yml │ │ ├── proc_creation_win_netsh_wifi_credential_harvesting.yml │ │ ├── proc_creation_win_nltest_execution.yml │ │ ├── proc_creation_win_nltest_recon.yml │ │ ├── proc_creation_win_node_abuse.yml │ │ ├── proc_creation_win_node_adobe_creative_cloud_abuse.yml │ │ ├── proc_creation_win_notepad_local_passwd_discovery.yml │ │ ├── proc_creation_win_nslookup_domain_discovery.yml │ │ ├── proc_creation_win_nslookup_poweshell_download.yml │ │ ├── proc_creation_win_ntdsutil_susp_usage.yml │ │ ├── proc_creation_win_ntdsutil_usage.yml │ │ ├── proc_creation_win_odbcconf_driver_install.yml │ │ ├── proc_creation_win_odbcconf_driver_install_susp.yml │ │ ├── proc_creation_win_odbcconf_exec_susp_locations.yml │ │ ├── proc_creation_win_odbcconf_register_dll_regsvr.yml │ │ ├── proc_creation_win_odbcconf_register_dll_regsvr_susp.yml │ │ ├── proc_creation_win_odbcconf_response_file.yml │ │ ├── proc_creation_win_odbcconf_response_file_susp.yml │ │ ├── proc_creation_win_odbcconf_uncommon_child_process.yml │ │ ├── proc_creation_win_office_arbitrary_cli_download.yml │ │ ├── proc_creation_win_office_excel_dcom_lateral_movement.yml │ │ ├── proc_creation_win_office_exec_from_trusted_locations.yml │ │ ├── proc_creation_win_office_onenote_embedded_script_execution.yml │ │ ├── proc_creation_win_office_onenote_susp_child_processes.yml │ │ ├── proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml │ │ ├── proc_creation_win_office_outlook_execution_from_temp.yml │ │ ├── proc_creation_win_office_outlook_susp_child_processes.yml │ │ ├── proc_creation_win_office_outlook_susp_child_processes_remote.yml │ │ ├── proc_creation_win_office_spawn_exe_from_users_directory.yml │ │ ├── proc_creation_win_office_susp_child_processes.yml │ │ ├── proc_creation_win_office_winword_dll_load.yml │ │ ├── proc_creation_win_offlinescannershell_mpclient_sideloading.yml │ │ ├── proc_creation_win_pdqdeploy_execution.yml │ │ ├── proc_creation_win_pdqdeploy_runner_susp_children.yml │ │ ├── proc_creation_win_perl_inline_command_execution.yml │ │ ├── proc_creation_win_php_inline_command_execution.yml │ │ ├── proc_creation_win_ping_hex_ip.yml │ │ ├── proc_creation_win_pktmon_execution.yml │ │ ├── proc_creation_win_plink_port_forwarding.yml │ │ ├── proc_creation_win_plink_susp_tunneling.yml │ │ ├── proc_creation_win_powercfg_execution.yml │ │ ├── proc_creation_win_powershell_aadinternals_cmdlets_execution.yml │ │ ├── proc_creation_win_powershell_active_directory_module_dll_import.yml │ │ ├── proc_creation_win_powershell_add_windows_capability.yml │ │ ├── proc_creation_win_powershell_amsi_init_failed_bypass.yml │ │ ├── proc_creation_win_powershell_amsi_null_bits_bypass.yml │ │ ├── proc_creation_win_powershell_audio_capture.yml │ │ ├── proc_creation_win_powershell_base64_encoded_cmd.yml │ │ ├── proc_creation_win_powershell_base64_encoded_cmd_patterns.yml │ │ ├── proc_creation_win_powershell_base64_encoded_obfusc.yml │ │ ├── proc_creation_win_powershell_base64_frombase64string.yml │ │ ├── proc_creation_win_powershell_base64_hidden_flag.yml │ │ ├── proc_creation_win_powershell_base64_iex.yml │ │ ├── proc_creation_win_powershell_base64_invoke.yml │ │ ├── proc_creation_win_powershell_base64_mppreference.yml │ │ ├── proc_creation_win_powershell_base64_reflection_assembly_load.yml │ │ ├── proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml │ │ ├── proc_creation_win_powershell_base64_wmi_classes.yml │ │ ├── proc_creation_win_powershell_cl_invocation.yml │ │ ├── proc_creation_win_powershell_cl_loadassembly.yml │ │ ├── proc_creation_win_powershell_cl_mutexverifiers.yml │ │ ├── proc_creation_win_powershell_cmdline_convertto_securestring.yml │ │ ├── proc_creation_win_powershell_cmdline_reversed_strings.yml │ │ ├── proc_creation_win_powershell_cmdline_special_characters.yml │ │ ├── proc_creation_win_powershell_comobject_msi.yml │ │ ├── proc_creation_win_powershell_comobject_msi_remote.yml │ │ ├── proc_creation_win_powershell_computer_discovery_get_adcomputer.yml │ │ ├── proc_creation_win_powershell_console_history_file_access.yml │ │ ├── proc_creation_win_powershell_create_service.yml │ │ ├── proc_creation_win_powershell_decode_gzip.yml │ │ ├── proc_creation_win_powershell_decrypt_pattern.yml │ │ ├── proc_creation_win_powershell_defender_disable_feature.yml │ │ ├── proc_creation_win_powershell_defender_exclusion.yml │ │ ├── proc_creation_win_powershell_disable_defender_av_security_monitoring.yml │ │ ├── proc_creation_win_powershell_disable_firewall.yml │ │ ├── proc_creation_win_powershell_disable_ie_features.yml │ │ ├── proc_creation_win_powershell_downgrade_attack.yml │ │ ├── proc_creation_win_powershell_download_com_cradles.yml │ │ ├── proc_creation_win_powershell_download_cradle_obfuscated.yml │ │ ├── proc_creation_win_powershell_download_dll.yml │ │ ├── proc_creation_win_powershell_download_iex.yml │ │ ├── proc_creation_win_powershell_download_patterns.yml │ │ ├── proc_creation_win_powershell_download_susp_file_sharing_domains.yml │ │ ├── proc_creation_win_powershell_dsinternals_cmdlets.yml │ │ ├── proc_creation_win_powershell_email_exfil.yml │ │ ├── proc_creation_win_powershell_enable_susp_windows_optional_feature.yml │ │ ├── proc_creation_win_powershell_encode.yml │ │ ├── proc_creation_win_powershell_encoding_patterns.yml │ │ ├── proc_creation_win_powershell_exec_data_file.yml │ │ ├── proc_creation_win_powershell_export_certificate.yml │ │ ├── proc_creation_win_powershell_frombase64string.yml │ │ ├── proc_creation_win_powershell_frombase64string_archive.yml │ │ ├── proc_creation_win_powershell_get_clipboard.yml │ │ ├── proc_creation_win_powershell_get_localgroup_member_recon.yml │ │ ├── proc_creation_win_powershell_getprocess_lsass.yml │ │ ├── proc_creation_win_powershell_hide_services_via_set_service.yml │ │ ├── proc_creation_win_powershell_iex_patterns.yml │ │ ├── proc_creation_win_powershell_import_cert_susp_locations.yml │ │ ├── proc_creation_win_powershell_import_module_susp_dirs.yml │ │ ├── proc_creation_win_powershell_install_unsigned_appx_packages.yml │ │ ├── proc_creation_win_powershell_invocation_specific.yml │ │ ├── proc_creation_win_powershell_invoke_webrequest_direct_ip.yml │ │ ├── proc_creation_win_powershell_invoke_webrequest_download.yml │ │ ├── proc_creation_win_powershell_kerberos_kerberos_ticket_request_via_cli.yml │ │ ├── proc_creation_win_powershell_mailboxexport_share.yml │ │ ├── proc_creation_win_powershell_malicious_cmdlets.yml │ │ ├── proc_creation_win_powershell_msexchange_transport_agent.yml │ │ ├── proc_creation_win_powershell_non_interactive_execution.yml │ │ ├── proc_creation_win_powershell_obfuscation_via_utf8.yml │ │ ├── proc_creation_win_powershell_public_folder.yml │ │ ├── proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml │ │ ├── proc_creation_win_powershell_remove_mppreference.yml │ │ ├── proc_creation_win_powershell_reverse_shell_connection.yml │ │ ├── proc_creation_win_powershell_run_script_from_ads.yml │ │ ├── proc_creation_win_powershell_run_script_from_input_stream.yml │ │ ├── proc_creation_win_powershell_sam_access.yml │ │ ├── proc_creation_win_powershell_script_engine_parent.yml │ │ ├── proc_creation_win_powershell_service_dacl_modification_set_service.yml │ │ ├── proc_creation_win_powershell_set_acl.yml │ │ ├── proc_creation_win_powershell_set_acl_susp_location.yml │ │ ├── proc_creation_win_powershell_set_policies_to_unsecure_level.yml │ │ ├── proc_creation_win_powershell_set_service_disabled.yml │ │ ├── proc_creation_win_powershell_shadowcopy_deletion.yml │ │ ├── proc_creation_win_powershell_snapins_hafnium.yml │ │ ├── proc_creation_win_powershell_stop_service.yml │ │ ├── proc_creation_win_powershell_susp_download_patterns.yml │ │ ├── proc_creation_win_powershell_susp_parameter_variation.yml │ │ ├── proc_creation_win_powershell_susp_parent_process.yml │ │ ├── proc_creation_win_powershell_susp_ps_appdata.yml │ │ ├── proc_creation_win_powershell_token_obfuscation.yml │ │ ├── proc_creation_win_powershell_uninstall_defender_feature.yml │ │ ├── proc_creation_win_powershell_user_discovery_get_aduser.yml │ │ ├── proc_creation_win_powershell_webclient_casing.yml │ │ ├── proc_creation_win_powershell_x509enrollment.yml │ │ ├── proc_creation_win_powershell_xor_commandline.yml │ │ ├── proc_creation_win_powershell_zip_compress.yml │ │ ├── proc_creation_win_presentationhost_download.yml │ │ ├── proc_creation_win_presentationhost_uncommon_location_exec.yml │ │ ├── proc_creation_win_pressanykey_lolbin_execution.yml │ │ ├── proc_creation_win_print_remote_file_copy.yml │ │ ├── proc_creation_win_protocolhandler_download.yml │ │ ├── proc_creation_win_provlaunch_potential_abuse.yml │ │ ├── proc_creation_win_provlaunch_susp_child_process.yml │ │ ├── proc_creation_win_psr_capture_screenshots.yml │ │ ├── proc_creation_win_pua_3proxy_execution.yml │ │ ├── proc_creation_win_pua_adfind_enumeration.yml │ │ ├── proc_creation_win_pua_adfind_execution.yml │ │ ├── proc_creation_win_pua_adfind_susp_usage.yml │ │ ├── proc_creation_win_pua_advanced_ip_scanner.yml │ │ ├── proc_creation_win_pua_advanced_port_scanner.yml │ │ ├── proc_creation_win_pua_advancedrun.yml │ │ ├── proc_creation_win_pua_advancedrun_priv_user.yml │ │ ├── proc_creation_win_pua_chisel.yml │ │ ├── proc_creation_win_pua_cleanwipe.yml │ │ ├── proc_creation_win_pua_crassus.yml │ │ ├── proc_creation_win_pua_csexec.yml │ │ ├── proc_creation_win_pua_defendercheck.yml │ │ ├── proc_creation_win_pua_ditsnap.yml │ │ ├── proc_creation_win_pua_frp.yml │ │ ├── proc_creation_win_pua_iox.yml │ │ ├── proc_creation_win_pua_kdu_driver_tool.yml │ │ ├── proc_creation_win_pua_mouselock_execution.yml │ │ ├── proc_creation_win_pua_netcat.yml │ │ ├── proc_creation_win_pua_netscan.yml │ │ ├── proc_creation_win_pua_ngrok.yml │ │ ├── proc_creation_win_pua_nimgrab.yml │ │ ├── proc_creation_win_pua_nimscan.yml │ │ ├── proc_creation_win_pua_nircmd.yml │ │ ├── proc_creation_win_pua_nircmd_as_system.yml │ │ ├── proc_creation_win_pua_nmap_zenmap.yml │ │ ├── proc_creation_win_pua_nps.yml │ │ ├── proc_creation_win_pua_nsudo.yml │ │ ├── proc_creation_win_pua_pingcastle.yml │ │ ├── proc_creation_win_pua_pingcastle_script_parent.yml │ │ ├── proc_creation_win_pua_process_hacker.yml │ │ ├── proc_creation_win_pua_radmin.yml │ │ ├── proc_creation_win_pua_rcedit_execution.yml │ │ ├── proc_creation_win_pua_rclone_execution.yml │ │ ├── proc_creation_win_pua_restic.yml │ │ ├── proc_creation_win_pua_runxcmd.yml │ │ ├── proc_creation_win_pua_seatbelt.yml │ │ ├── proc_creation_win_pua_system_informer.yml │ │ ├── proc_creation_win_pua_trufflehog.yml │ │ ├── proc_creation_win_pua_webbrowserpassview.yml │ │ ├── proc_creation_win_pua_wsudo_susp_execution.yml │ │ ├── proc_creation_win_python_adidnsdump.yml │ │ ├── proc_creation_win_python_inline_command_execution.yml │ │ ├── proc_creation_win_python_pty_spawn.yml │ │ ├── proc_creation_win_qemu_suspicious_execution.yml │ │ ├── proc_creation_win_query_session_exfil.yml │ │ ├── proc_creation_win_quickassist_execution.yml │ │ ├── proc_creation_win_rar_compress_data.yml │ │ ├── proc_creation_win_rar_compression_with_password.yml │ │ ├── proc_creation_win_rar_susp_greedy_compression.yml │ │ ├── proc_creation_win_rasdial_execution.yml │ │ ├── proc_creation_win_rdp_enable_or_disable_via_win32_terminalservicesetting_wmi_class.yml │ │ ├── proc_creation_win_rdrleakdiag_process_dumping.yml │ │ ├── proc_creation_win_reagentc_disable_windows_recovery_environment.yml │ │ ├── proc_creation_win_reg_add_run_key.yml │ │ ├── proc_creation_win_reg_add_safeboot.yml │ │ ├── proc_creation_win_reg_bitlocker.yml │ │ ├── proc_creation_win_reg_credential_access_via_password_filter.yml │ │ ├── proc_creation_win_reg_defender_exclusion.yml │ │ ├── proc_creation_win_reg_delete_runmru.yml │ │ ├── proc_creation_win_reg_delete_safeboot.yml │ │ ├── proc_creation_win_reg_delete_services.yml │ │ ├── proc_creation_win_reg_desktop_background_change.yml │ │ ├── proc_creation_win_reg_direct_asep_registry_keys_modification.yml │ │ ├── proc_creation_win_reg_disable_defender_wmi_autologger.yml │ │ ├── proc_creation_win_reg_disable_sec_services.yml │ │ ├── proc_creation_win_reg_dumping_sensitive_hives.yml │ │ ├── proc_creation_win_reg_enable_windows_recall.yml │ │ ├── proc_creation_win_reg_enumeration_for_credentials_in_registry.yml │ │ ├── proc_creation_win_reg_import_from_suspicious_paths.yml │ │ ├── proc_creation_win_reg_lsa_disable_restricted_admin.yml │ │ ├── proc_creation_win_reg_lsa_ppl_protection_disabled.yml │ │ ├── proc_creation_win_reg_machineguid.yml │ │ ├── proc_creation_win_reg_modify_group_policy_settings.yml │ │ ├── proc_creation_win_reg_nolmhash.yml │ │ ├── proc_creation_win_reg_query_registry.yml │ │ ├── proc_creation_win_reg_rdp_keys_tamper.yml │ │ ├── proc_creation_win_reg_screensaver.yml │ │ ├── proc_creation_win_reg_service_imagepath_change.yml │ │ ├── proc_creation_win_reg_software_discovery.yml │ │ ├── proc_creation_win_reg_susp_paths.yml │ │ ├── proc_creation_win_reg_system_language_discovery.yml │ │ ├── proc_creation_win_reg_volsnap_disable.yml │ │ ├── proc_creation_win_reg_windows_defender_tamper.yml │ │ ├── proc_creation_win_reg_write_protect_for_storage_disabled.yml │ │ ├── proc_creation_win_regasm_no_flag_or_dll_execution.yml │ │ ├── proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml │ │ ├── proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml │ │ ├── proc_creation_win_regedit_export_critical_keys.yml │ │ ├── proc_creation_win_regedit_export_keys.yml │ │ ├── proc_creation_win_regedit_import_keys.yml │ │ ├── proc_creation_win_regedit_import_keys_ads.yml │ │ ├── proc_creation_win_regedit_trustedinstaller.yml │ │ ├── proc_creation_win_regini_ads.yml │ │ ├── proc_creation_win_regini_execution.yml │ │ ├── proc_creation_win_registry_cimprovider_dll_load.yml │ │ ├── proc_creation_win_registry_enumeration_for_credentials_cli.yml │ │ ├── proc_creation_win_registry_export_of_thirdparty_creds.yml │ │ ├── proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml │ │ ├── proc_creation_win_registry_install_reg_debugger_backdoor.yml │ │ ├── proc_creation_win_registry_logon_script.yml │ │ ├── proc_creation_win_registry_new_network_provider.yml │ │ ├── proc_creation_win_registry_office_disable_python_security_warnings.yml │ │ ├── proc_creation_win_registry_privilege_escalation_via_service_key.yml │ │ ├── proc_creation_win_registry_provlaunch_provisioning_command.yml │ │ ├── proc_creation_win_registry_set_unsecure_powershell_policy.yml │ │ ├── proc_creation_win_registry_special_accounts_hide_user.yml │ │ ├── proc_creation_win_registry_typed_paths_persistence.yml │ │ ├── proc_creation_win_regsvr32_flags_anomaly.yml │ │ ├── proc_creation_win_regsvr32_http_ip_pattern.yml │ │ ├── proc_creation_win_regsvr32_network_pattern.yml │ │ ├── proc_creation_win_regsvr32_remote_share.yml │ │ ├── proc_creation_win_regsvr32_susp_child_process.yml │ │ ├── proc_creation_win_regsvr32_susp_exec_path_1.yml │ │ ├── proc_creation_win_regsvr32_susp_exec_path_2.yml │ │ ├── proc_creation_win_regsvr32_susp_extensions.yml │ │ ├── proc_creation_win_regsvr32_susp_parent.yml │ │ ├── proc_creation_win_regsvr32_uncommon_extension.yml │ │ ├── proc_creation_win_remote_access_tools_anydesk.yml │ │ ├── proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml │ │ ├── proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml │ │ ├── proc_creation_win_remote_access_tools_anydesk_silent_install.yml │ │ ├── proc_creation_win_remote_access_tools_anydesk_susp_exec.yml │ │ ├── proc_creation_win_remote_access_tools_gotoopener.yml │ │ ├── proc_creation_win_remote_access_tools_logmein.yml │ │ ├── proc_creation_win_remote_access_tools_meshagent_arguments.yml │ │ ├── proc_creation_win_remote_access_tools_meshagent_exec.yml │ │ ├── proc_creation_win_remote_access_tools_netsupport.yml │ │ ├── proc_creation_win_remote_access_tools_netsupport_susp_exec.yml │ │ ├── proc_creation_win_remote_access_tools_renamed_meshagent_execution.yml │ │ ├── proc_creation_win_remote_access_tools_rurat_non_default_location.yml │ │ ├── proc_creation_win_remote_access_tools_screenconnect.yml │ │ ├── proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml │ │ ├── proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml │ │ ├── proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml │ │ ├── proc_creation_win_remote_access_tools_screenconnect_webshell.yml │ │ ├── proc_creation_win_remote_access_tools_simple_help.yml │ │ ├── proc_creation_win_remote_access_tools_tacticalrmm_agent_registration_via_cli.yml │ │ ├── proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml │ │ ├── proc_creation_win_remote_access_tools_ultraviewer.yml │ │ ├── proc_creation_win_remote_time_discovery.yml │ │ ├── proc_creation_win_renamed_adfind.yml │ │ ├── proc_creation_win_renamed_autohotkey.yml │ │ ├── proc_creation_win_renamed_autoit.yml │ │ ├── proc_creation_win_renamed_binary.yml │ │ ├── proc_creation_win_renamed_binary_highly_relevant.yml │ │ ├── proc_creation_win_renamed_boinc.yml │ │ ├── proc_creation_win_renamed_browsercore.yml │ │ ├── proc_creation_win_renamed_cloudflared.yml │ │ ├── proc_creation_win_renamed_createdump.yml │ │ ├── proc_creation_win_renamed_curl.yml │ │ ├── proc_creation_win_renamed_dctask64.yml │ │ ├── proc_creation_win_renamed_ftp.yml │ │ ├── proc_creation_win_renamed_gpg4win.yml │ │ ├── proc_creation_win_renamed_jusched.yml │ │ ├── proc_creation_win_renamed_mavinject.yml │ │ ├── proc_creation_win_renamed_megasync.yml │ │ ├── proc_creation_win_renamed_msdt.yml │ │ ├── proc_creation_win_renamed_msteams.yml │ │ ├── proc_creation_win_renamed_netsupport_rat.yml │ │ ├── proc_creation_win_renamed_nircmd.yml │ │ ├── proc_creation_win_renamed_office_processes.yml │ │ ├── proc_creation_win_renamed_paexec.yml │ │ ├── proc_creation_win_renamed_pingcastle.yml │ │ ├── proc_creation_win_renamed_plink.yml │ │ ├── proc_creation_win_renamed_pressanykey.yml │ │ ├── proc_creation_win_renamed_rundll32_dllregisterserver.yml │ │ ├── proc_creation_win_renamed_rurat.yml │ │ ├── proc_creation_win_renamed_schtasks_execution.yml │ │ ├── proc_creation_win_renamed_sysinternals_debugview.yml │ │ ├── proc_creation_win_renamed_sysinternals_procdump.yml │ │ ├── proc_creation_win_renamed_sysinternals_psexec_service.yml │ │ ├── proc_creation_win_renamed_sysinternals_sdelete.yml │ │ ├── proc_creation_win_renamed_vmnat.yml │ │ ├── proc_creation_win_renamed_whoami.yml │ │ ├── proc_creation_win_rpcping_credential_capture.yml │ │ ├── proc_creation_win_ruby_inline_command_execution.yml │ │ ├── proc_creation_win_rundll32_ads_stored_dll_execution.yml │ │ ├── proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml │ │ ├── proc_creation_win_rundll32_inline_vbs.yml │ │ ├── proc_creation_win_rundll32_installscreensaver.yml │ │ ├── proc_creation_win_rundll32_keymgr.yml │ │ ├── proc_creation_win_rundll32_mshtml_runhtmlapplication.yml │ │ ├── proc_creation_win_rundll32_no_params.yml │ │ ├── proc_creation_win_rundll32_ntlmrelay.yml │ │ ├── proc_creation_win_rundll32_obfuscated_ordinal_call.yml │ │ ├── proc_creation_win_rundll32_parent_explorer.yml │ │ ├── proc_creation_win_rundll32_process_dump_via_comsvcs.yml │ │ ├── proc_creation_win_rundll32_registered_com_objects.yml │ │ ├── proc_creation_win_rundll32_run_locations.yml │ │ ├── proc_creation_win_rundll32_setupapi_installhinfsection.yml │ │ ├── proc_creation_win_rundll32_shell32_susp_execution.yml │ │ ├── proc_creation_win_rundll32_shelldispatch_potential_abuse.yml │ │ ├── proc_creation_win_rundll32_spawn_explorer.yml │ │ ├── proc_creation_win_rundll32_susp_activity.yml │ │ ├── proc_creation_win_rundll32_susp_control_dll_load.yml │ │ ├── proc_creation_win_rundll32_susp_execution_with_image_extension.yml │ │ ├── proc_creation_win_rundll32_susp_shellexec_execution.yml │ │ ├── proc_creation_win_rundll32_susp_shellexec_ordinal_execution.yml │ │ ├── proc_creation_win_rundll32_susp_shimcache_flush.yml │ │ ├── proc_creation_win_rundll32_sys.yml │ │ ├── proc_creation_win_rundll32_udl_exec.yml │ │ ├── proc_creation_win_rundll32_unc_path.yml │ │ ├── proc_creation_win_rundll32_uncommon_dll_extension.yml │ │ ├── proc_creation_win_rundll32_user32_dll.yml │ │ ├── proc_creation_win_rundll32_webdav_client_execution.yml │ │ ├── proc_creation_win_rundll32_webdav_client_susp_execution.yml │ │ ├── proc_creation_win_rundll32_without_parameters.yml │ │ ├── proc_creation_win_runonce_execution.yml │ │ ├── proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml │ │ ├── proc_creation_win_sc_create_service.yml │ │ ├── proc_creation_win_sc_disable_service.yml │ │ ├── proc_creation_win_sc_new_kernel_driver.yml │ │ ├── proc_creation_win_sc_query_interesting_services.yml │ │ ├── proc_creation_win_sc_sdset_allow_service_changes.yml │ │ ├── proc_creation_win_sc_sdset_deny_service_access.yml │ │ ├── proc_creation_win_sc_sdset_hide_sevices.yml │ │ ├── proc_creation_win_sc_sdset_modification.yml │ │ ├── proc_creation_win_sc_service_path_modification.yml │ │ ├── proc_creation_win_sc_service_tamper_for_persistence.yml │ │ ├── proc_creation_win_sc_stop_service.yml │ │ ├── proc_creation_win_schtasks_appdata_local_system.yml │ │ ├── proc_creation_win_schtasks_change.yml │ │ ├── proc_creation_win_schtasks_creation.yml │ │ ├── proc_creation_win_schtasks_creation_temp_folder.yml │ │ ├── proc_creation_win_schtasks_curl_and_powershell_combo.yml │ │ ├── proc_creation_win_schtasks_delete.yml │ │ ├── proc_creation_win_schtasks_delete_all.yml │ │ ├── proc_creation_win_schtasks_disable.yml │ │ ├── proc_creation_win_schtasks_env_folder.yml │ │ ├── proc_creation_win_schtasks_folder_combos.yml │ │ ├── proc_creation_win_schtasks_guid_task_name.yml │ │ ├── proc_creation_win_schtasks_one_time_only_midnight_task.yml │ │ ├── proc_creation_win_schtasks_openssh_tunnelling.yml │ │ ├── proc_creation_win_schtasks_persistence_windows_telemetry.yml │ │ ├── proc_creation_win_schtasks_powershell_persistence.yml │ │ ├── proc_creation_win_schtasks_reg_loader.yml │ │ ├── proc_creation_win_schtasks_reg_loader_encoded.yml │ │ ├── proc_creation_win_schtasks_schedule_type.yml │ │ ├── proc_creation_win_schtasks_schedule_type_system.yml │ │ ├── proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml │ │ ├── proc_creation_win_schtasks_susp_pattern.yml │ │ ├── proc_creation_win_schtasks_system.yml │ │ ├── proc_creation_win_schtasks_system_process.yml │ │ ├── proc_creation_win_scrcons_susp_child_process.yml │ │ ├── proc_creation_win_sdbinst_shim_persistence.yml │ │ ├── proc_creation_win_sdbinst_susp_extension.yml │ │ ├── proc_creation_win_sdclt_child_process.yml │ │ ├── proc_creation_win_sdiagnhost_susp_child.yml │ │ ├── proc_creation_win_secedit_execution.yml │ │ ├── proc_creation_win_security_susp_node_js_execution.yml │ │ ├── proc_creation_win_servu_susp_child_process.yml │ │ ├── proc_creation_win_setres_uncommon_child_process.yml │ │ ├── proc_creation_win_setspn_spn_enumeration.yml │ │ ├── proc_creation_win_setup16_custom_lst_execution.yml │ │ ├── proc_creation_win_shutdown_execution.yml │ │ ├── proc_creation_win_shutdown_logoff.yml │ │ ├── proc_creation_win_sigverif_uncommon_child_process.yml │ │ ├── proc_creation_win_sndvol_susp_child_processes.yml │ │ ├── proc_creation_win_soundrecorder_audio_capture.yml │ │ ├── proc_creation_win_speechruntime_child_process.yml │ │ ├── proc_creation_win_splwow64_cli_anomaly.yml │ │ ├── proc_creation_win_spoolsv_susp_child_processes.yml │ │ ├── proc_creation_win_sqlcmd_veeam_db_recon.yml │ │ ├── proc_creation_win_sqlcmd_veeam_dump.yml │ │ ├── proc_creation_win_sqlite_chromium_profile_data.yml │ │ ├── proc_creation_win_sqlite_firefox_gecko_profile_data.yml │ │ ├── proc_creation_win_squirrel_download.yml │ │ ├── proc_creation_win_squirrel_proxy_execution.yml │ │ ├── proc_creation_win_ssh_port_forward.yml │ │ ├── proc_creation_win_ssh_proxy_execution.yml │ │ ├── proc_creation_win_ssh_rdp_tunneling.yml │ │ ├── proc_creation_win_ssm_agent_abuse.yml │ │ ├── proc_creation_win_stordiag_susp_child_process.yml │ │ ├── proc_creation_win_susp_16bit_application.yml │ │ ├── proc_creation_win_susp_abusing_debug_privilege.yml │ │ ├── proc_creation_win_susp_add_user_local_admin_group.yml │ │ ├── proc_creation_win_susp_add_user_privileged_group.yml │ │ ├── proc_creation_win_susp_add_user_remote_desktop_group.yml │ │ ├── proc_creation_win_susp_alternate_data_streams.yml │ │ ├── proc_creation_win_susp_always_install_elevated_windows_installer.yml │ │ ├── proc_creation_win_susp_appx_execution.yml │ │ ├── proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml │ │ ├── proc_creation_win_susp_archiver_iso_phishing.yml │ │ ├── proc_creation_win_susp_automated_collection.yml │ │ ├── proc_creation_win_susp_bad_opsec_sacrificial_processes.yml │ │ ├── proc_creation_win_susp_browser_launch_from_document_reader_process.yml │ │ ├── proc_creation_win_susp_child_process_as_system_.yml │ │ ├── proc_creation_win_susp_cli_obfuscation_escape_char.yml │ │ ├── proc_creation_win_susp_cli_obfuscation_unicode_img.yml │ │ ├── proc_creation_win_susp_clickfix_filefix_execution.yml │ │ ├── proc_creation_win_susp_clickfix_filefix_whitespace_padding.yml │ │ ├── proc_creation_win_susp_cmd_for_loop_execution_with_recursive_directory_search.yml │ │ ├── proc_creation_win_susp_commandline_path_traversal_evasion.yml │ │ ├── proc_creation_win_susp_copy_browser_data.yml │ │ ├── proc_creation_win_susp_copy_lateral_movement.yml │ │ ├── proc_creation_win_susp_copy_system_dir.yml │ │ ├── proc_creation_win_susp_copy_system_dir_lolbin.yml │ │ ├── proc_creation_win_susp_crypto_mining_monero.yml │ │ ├── proc_creation_win_susp_data_exfiltration_via_cli.yml │ │ ├── proc_creation_win_susp_disable_raccine.yml │ │ ├── proc_creation_win_susp_double_extension.yml │ │ ├── proc_creation_win_susp_double_extension_parent.yml │ │ ├── proc_creation_win_susp_download_office_domain.yml │ │ ├── proc_creation_win_susp_dumpstack_log_evasion.yml │ │ ├── proc_creation_win_susp_elavated_msi_spawned_shell.yml │ │ ├── proc_creation_win_susp_electron_app_children.yml │ │ ├── proc_creation_win_susp_electron_execution_proxy.yml │ │ ├── proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml │ │ ├── proc_creation_win_susp_embed_exe_lnk.yml │ │ ├── proc_creation_win_susp_emoji_usage_in_cli_1.yml │ │ ├── proc_creation_win_susp_emoji_usage_in_cli_2.yml │ │ ├── proc_creation_win_susp_emoji_usage_in_cli_3.yml │ │ ├── proc_creation_win_susp_emoji_usage_in_cli_4.yml │ │ ├── proc_creation_win_susp_etw_modification_cmdline.yml │ │ ├── proc_creation_win_susp_etw_trace_evasion.yml │ │ ├── proc_creation_win_susp_eventlog_clear.yml │ │ ├── proc_creation_win_susp_eventlog_content_recon.yml │ │ ├── proc_creation_win_susp_execution_from_public_folder_as_parent.yml │ │ ├── proc_creation_win_susp_execution_path.yml │ │ ├── proc_creation_win_susp_file_characteristics.yml │ │ ├── proc_creation_win_susp_filefix_execution_pattern.yml │ │ ├── proc_creation_win_susp_gather_network_info_execution.yml │ │ ├── proc_creation_win_susp_hidden_dir_index_allocation.yml │ │ ├── proc_creation_win_susp_hiding_malware_in_fonts_folder.yml │ │ ├── proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml │ │ ├── proc_creation_win_susp_image_missing.yml │ │ ├── proc_creation_win_susp_inline_base64_mz_header.yml │ │ ├── proc_creation_win_susp_inline_node_js_execution.yml │ │ ├── proc_creation_win_susp_inline_win_api_access.yml │ │ ├── proc_creation_win_susp_jwt_token_search.yml │ │ ├── proc_creation_win_susp_lnk_exec_hidden_cmd.yml │ │ ├── proc_creation_win_susp_local_system_owner_account_discovery.yml │ │ ├── proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml │ │ ├── proc_creation_win_susp_lsass_dmp_cli_keywords.yml │ │ ├── proc_creation_win_susp_ms_appinstaller_download.yml │ │ ├── proc_creation_win_susp_network_command.yml │ │ ├── proc_creation_win_susp_network_scan_loop.yml │ │ ├── proc_creation_win_susp_network_sniffing.yml │ │ ├── proc_creation_win_susp_no_image_name.yml │ │ ├── proc_creation_win_susp_non_exe_image.yml │ │ ├── proc_creation_win_susp_non_priv_reg_or_ps.yml │ │ ├── proc_creation_win_susp_ntds.yml │ │ ├── proc_creation_win_susp_nteventlogfile_usage.yml │ │ ├── proc_creation_win_susp_ntfs_short_name_path_use_image.yml │ │ ├── proc_creation_win_susp_ntfs_short_name_use_cli.yml │ │ ├── proc_creation_win_susp_ntfs_short_name_use_image.yml │ │ ├── proc_creation_win_susp_obfuscated_ip_download.yml │ │ ├── proc_creation_win_susp_obfuscated_ip_via_cli.yml │ │ ├── proc_creation_win_susp_parents.yml │ │ ├── proc_creation_win_susp_powershell_execution_via_dll.yml │ │ ├── proc_creation_win_susp_priv_escalation_via_named_pipe.yml │ │ ├── proc_creation_win_susp_private_keys_recon.yml │ │ ├── proc_creation_win_susp_privilege_escalation_cli_patterns.yml │ │ ├── proc_creation_win_susp_proc_wrong_parent.yml │ │ ├── proc_creation_win_susp_progname.yml │ │ ├── proc_creation_win_susp_recon.yml │ │ ├── proc_creation_win_susp_recycle_bin_fake_execution.yml │ │ ├── proc_creation_win_susp_redirect_local_admin_share.yml │ │ ├── proc_creation_win_susp_registry_modification_of_ms_setting_protocol_handler.yml │ │ ├── proc_creation_win_susp_remote_desktop_tunneling.yml │ │ ├── proc_creation_win_susp_right_to_left_override.yml │ │ ├── proc_creation_win_susp_script_exec_from_env_folder.yml │ │ ├── proc_creation_win_susp_script_exec_from_temp.yml │ │ ├── proc_creation_win_susp_sensitive_file_access_shadowcopy.yml │ │ ├── proc_creation_win_susp_service_creation.yml │ │ ├── proc_creation_win_susp_service_dir.yml │ │ ├── proc_creation_win_susp_service_tamper.yml │ │ ├── proc_creation_win_susp_shadow_copies_creation.yml │ │ ├── proc_creation_win_susp_shadow_copies_deletion.yml │ │ ├── proc_creation_win_susp_shell_spawn_susp_program.yml │ │ ├── proc_creation_win_susp_sysnative.yml │ │ ├── proc_creation_win_susp_system_exe_anomaly.yml │ │ ├── proc_creation_win_susp_system_user_anomaly.yml │ │ ├── proc_creation_win_susp_sysvol_access.yml │ │ ├── proc_creation_win_susp_task_folder_evasion.yml │ │ ├── proc_creation_win_susp_use_of_te_bin.yml │ │ ├── proc_creation_win_susp_use_of_vsjitdebugger_bin.yml │ │ ├── proc_creation_win_susp_userinit_child.yml │ │ ├── proc_creation_win_susp_velociraptor_child_process.yml │ │ ├── proc_creation_win_susp_weak_or_abused_passwords.yml │ │ ├── proc_creation_win_susp_web_request_cmd_and_cmdlets.yml │ │ ├── proc_creation_win_susp_whoami_as_param.yml │ │ ├── proc_creation_win_susp_workfolders.yml │ │ ├── proc_creation_win_svchost_execution_with_no_cli_flags.yml │ │ ├── proc_creation_win_svchost_masqueraded_execution.yml │ │ ├── proc_creation_win_svchost_termserv_proc_spawn.yml │ │ ├── proc_creation_win_svchost_uncommon_command_line_flags.yml │ │ ├── proc_creation_win_svchost_uncommon_parent_process.yml │ │ ├── proc_creation_win_sysinternals_accesschk_check_permissions.yml │ │ ├── proc_creation_win_sysinternals_adexplorer_execution.yml │ │ ├── proc_creation_win_sysinternals_adexplorer_susp_execution.yml │ │ ├── proc_creation_win_sysinternals_eula_accepted.yml │ │ ├── proc_creation_win_sysinternals_livekd_execution.yml │ │ ├── proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml │ │ ├── proc_creation_win_sysinternals_procdump.yml │ │ ├── proc_creation_win_sysinternals_procdump_evasion.yml │ │ ├── proc_creation_win_sysinternals_procdump_lsass.yml │ │ ├── proc_creation_win_sysinternals_psexec_execution.yml │ │ ├── proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml │ │ ├── proc_creation_win_sysinternals_psexec_remote_execution.yml │ │ ├── proc_creation_win_sysinternals_psexesvc.yml │ │ ├── proc_creation_win_sysinternals_psexesvc_as_system.yml │ │ ├── proc_creation_win_sysinternals_psloglist.yml │ │ ├── proc_creation_win_sysinternals_psservice.yml │ │ ├── proc_creation_win_sysinternals_pssuspend_execution.yml │ │ ├── proc_creation_win_sysinternals_pssuspend_susp_execution.yml │ │ ├── proc_creation_win_sysinternals_sdelete.yml │ │ ├── proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml │ │ ├── proc_creation_win_sysinternals_sysmon_config_update.yml │ │ ├── proc_creation_win_sysinternals_sysmon_uninstall.yml │ │ ├── proc_creation_win_sysinternals_tools_masquerading.yml │ │ ├── proc_creation_win_sysprep_appdata.yml │ │ ├── proc_creation_win_systeminfo_execution.yml │ │ ├── proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml │ │ ├── proc_creation_win_takeown_recursive_own.yml │ │ ├── proc_creation_win_tapinstall_execution.yml │ │ ├── proc_creation_win_tar_compression.yml │ │ ├── proc_creation_win_tar_extraction.yml │ │ ├── proc_creation_win_taskkill_sep.yml │ │ ├── proc_creation_win_tasklist_module_enumeration.yml │ │ ├── proc_creation_win_taskmgr_localsystem.yml │ │ ├── proc_creation_win_taskmgr_susp_child_process.yml │ │ ├── proc_creation_win_teams_suspicious_command_line_cred_access.yml │ │ ├── proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml │ │ ├── proc_creation_win_tscon_localsystem.yml │ │ ├── proc_creation_win_tscon_rdp_redirect.yml │ │ ├── proc_creation_win_tscon_rdp_session_hijacking.yml │ │ ├── proc_creation_win_uac_bypass_changepk_slui.yml │ │ ├── proc_creation_win_uac_bypass_cleanmgr.yml │ │ ├── proc_creation_win_uac_bypass_cmstp.yml │ │ ├── proc_creation_win_uac_bypass_cmstp_com_object_access.yml │ │ ├── proc_creation_win_uac_bypass_computerdefaults.yml │ │ ├── proc_creation_win_uac_bypass_consent_comctl32.yml │ │ ├── proc_creation_win_uac_bypass_dismhost.yml │ │ ├── proc_creation_win_uac_bypass_eventvwr_recentviews.yml │ │ ├── proc_creation_win_uac_bypass_fodhelper.yml │ │ ├── proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml │ │ ├── proc_creation_win_uac_bypass_icmluautil.yml │ │ ├── proc_creation_win_uac_bypass_idiagnostic_profile.yml │ │ ├── proc_creation_win_uac_bypass_ieinstal.yml │ │ ├── proc_creation_win_uac_bypass_msconfig_gui.yml │ │ ├── proc_creation_win_uac_bypass_ntfs_reparse_point.yml │ │ ├── proc_creation_win_uac_bypass_pkgmgr_dism.yml │ │ ├── proc_creation_win_uac_bypass_sdclt.yml │ │ ├── proc_creation_win_uac_bypass_trustedpath.yml │ │ ├── proc_creation_win_uac_bypass_winsat.yml │ │ ├── proc_creation_win_uac_bypass_wmp.yml │ │ ├── proc_creation_win_uac_bypass_wsreset.yml │ │ ├── proc_creation_win_uac_bypass_wsreset_integrity_level.yml │ │ ├── proc_creation_win_ultravnc.yml │ │ ├── proc_creation_win_ultravnc_susp_execution.yml │ │ ├── proc_creation_win_uninstall_crowdstrike_falcon.yml │ │ ├── proc_creation_win_user_shell_folders_registry_modification.yml │ │ ├── proc_creation_win_userinit_uncommon_child_processes.yml │ │ ├── proc_creation_win_vaultcmd_list_creds.yml │ │ ├── proc_creation_win_vbscript_registry_modification.yml │ │ ├── proc_creation_win_verclsid_runs_com.yml │ │ ├── proc_creation_win_virtualbox_execution.yml │ │ ├── proc_creation_win_virtualbox_vboxdrvinst_execution.yml │ │ ├── proc_creation_win_vmware_toolbox_cmd_persistence.yml │ │ ├── proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml │ │ ├── proc_creation_win_vmware_vmtoolsd_susp_child_process.yml │ │ ├── proc_creation_win_vscode_child_processes_anomalies.yml │ │ ├── proc_creation_win_vscode_tunnel_execution.yml │ │ ├── proc_creation_win_vscode_tunnel_remote_shell_.yml │ │ ├── proc_creation_win_vscode_tunnel_renamed_execution.yml │ │ ├── proc_creation_win_vscode_tunnel_service_install.yml │ │ ├── proc_creation_win_vsdiagnostics_execution_proxy.yml │ │ ├── proc_creation_win_vshadow_exec.yml │ │ ├── proc_creation_win_vslsagent_agentextensionpath_load.yml │ │ ├── proc_creation_win_vulnerable_driver_blocklist_registry_tampering.yml │ │ ├── proc_creation_win_w32tm.yml │ │ ├── proc_creation_win_wab_execution_from_non_default_location.yml │ │ ├── proc_creation_win_wab_unusual_parents.yml │ │ ├── proc_creation_win_wbadmin_delete_all_backups.yml │ │ ├── proc_creation_win_wbadmin_delete_backups.yml │ │ ├── proc_creation_win_wbadmin_dump_sensitive_files.yml │ │ ├── proc_creation_win_wbadmin_restore_file.yml │ │ ├── proc_creation_win_wbadmin_restore_sensitive_files.yml │ │ ├── proc_creation_win_webdav_lnk_execution.yml │ │ ├── proc_creation_win_webshell_chopper.yml │ │ ├── proc_creation_win_webshell_hacking.yml │ │ ├── proc_creation_win_webshell_recon_commands_and_processes.yml │ │ ├── proc_creation_win_webshell_susp_process_spawned_from_webserver.yml │ │ ├── proc_creation_win_webshell_tool_recon.yml │ │ ├── proc_creation_win_werfault_lsass_shtinkering.yml │ │ ├── proc_creation_win_werfault_reflect_debugger_exec.yml │ │ ├── proc_creation_win_werfaultsecure_abuse.yml │ │ ├── proc_creation_win_wermgr_susp_child_process.yml │ │ ├── proc_creation_win_wermgr_susp_exec_location.yml │ │ ├── proc_creation_win_wget_download_direct_ip.yml │ │ ├── proc_creation_win_wget_download_susp_file_sharing_domains.yml │ │ ├── proc_creation_win_wget_download_susp_locations.yml │ │ ├── proc_creation_win_where_browser_data_recon.yml │ │ ├── proc_creation_win_whoami_all_execution.yml │ │ ├── proc_creation_win_whoami_execution_from_high_priv_process.yml │ │ ├── proc_creation_win_whoami_groups_discovery.yml │ │ ├── proc_creation_win_whoami_output.yml │ │ ├── proc_creation_win_whoami_parent_anomaly.yml │ │ ├── proc_creation_win_whoami_priv_discovery.yml │ │ ├── proc_creation_win_windows_terminal_susp_children.yml │ │ ├── proc_creation_win_winget_add_custom_source.yml │ │ ├── proc_creation_win_winget_add_insecure_custom_source.yml │ │ ├── proc_creation_win_winget_add_susp_custom_source.yml │ │ ├── proc_creation_win_winget_local_install_via_manifest.yml │ │ ├── proc_creation_win_winrar_exfil_dmp_files.yml │ │ ├── proc_creation_win_winrar_susp_child_process.yml │ │ ├── proc_creation_win_winrar_uncommon_folder_execution.yml │ │ ├── proc_creation_win_winrm_awl_bypass.yml │ │ ├── proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml │ │ ├── proc_creation_win_winrm_remote_powershell_session_process.yml │ │ ├── proc_creation_win_winrm_susp_child_process.yml │ │ ├── proc_creation_win_winrs_local_command_execution.yml │ │ ├── proc_creation_win_winrshost_command_execution.yml │ │ ├── proc_creation_win_winzip_password_compression.yml │ │ ├── proc_creation_win_wlrmdr_uncommon_child_process.yml │ │ ├── proc_creation_win_wmi_backdoor_exchange_transport_agent.yml │ │ ├── proc_creation_win_wmi_password_never_expire.yml │ │ ├── proc_creation_win_wmi_persistence_script_event_consumer.yml │ │ ├── proc_creation_win_wmic_eventconsumer_creation.yml │ │ ├── proc_creation_win_wmic_namespace_defender.yml │ │ ├── proc_creation_win_wmic_process_creation.yml │ │ ├── proc_creation_win_wmic_recon_computersystem.yml │ │ ├── proc_creation_win_wmic_recon_csproduct.yml │ │ ├── proc_creation_win_wmic_recon_group.yml │ │ ├── proc_creation_win_wmic_recon_hotfix.yml │ │ ├── proc_creation_win_wmic_recon_process.yml │ │ ├── proc_creation_win_wmic_recon_product.yml │ │ ├── proc_creation_win_wmic_recon_product_class.yml │ │ ├── proc_creation_win_wmic_recon_service.yml │ │ ├── proc_creation_win_wmic_recon_system_info_uncommon.yml │ │ ├── proc_creation_win_wmic_recon_unquoted_service_search.yml │ │ ├── proc_creation_win_wmic_recon_volume.yml │ │ ├── proc_creation_win_wmic_remote_execution.yml │ │ ├── proc_creation_win_wmic_service_manipulation.yml │ │ ├── proc_creation_win_wmic_squiblytwo_bypass.yml │ │ ├── proc_creation_win_wmic_stdregprov_reg_modification.yml │ │ ├── proc_creation_win_wmic_susp_execution_via_office_process.yml │ │ ├── proc_creation_win_wmic_susp_process_creation.yml │ │ ├── proc_creation_win_wmic_terminate_application.yml │ │ ├── proc_creation_win_wmic_uninstall_application.yml │ │ ├── proc_creation_win_wmic_uninstall_security_products.yml │ │ ├── proc_creation_win_wmic_xsl_script_processing.yml │ │ ├── proc_creation_win_wmiprvse_spawning_process.yml │ │ ├── proc_creation_win_wmiprvse_spawns_powershell.yml │ │ ├── proc_creation_win_wmiprvse_susp_child_processes.yml │ │ ├── proc_creation_win_wpbbin_potential_persistence.yml │ │ ├── proc_creation_win_wscript_cscript_dropper.yml │ │ ├── proc_creation_win_wscript_cscript_susp_child_processes.yml │ │ ├── proc_creation_win_wscript_cscript_uncommon_extension_exec.yml │ │ ├── proc_creation_win_wsl_child_processes_anomalies.yml │ │ ├── proc_creation_win_wsl_kali_linux_installation.yml │ │ ├── proc_creation_win_wsl_kali_linux_usage.yml │ │ ├── proc_creation_win_wsl_windows_binaries_execution.yml │ │ ├── proc_creation_win_wuauclt_dll_loading.yml │ │ ├── proc_creation_win_wuauclt_no_cli_flags_execution.yml │ │ ├── proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml │ │ ├── proc_creation_win_wusa_susp_parent_execution.yml │ │ ├── proc_creation_win_xwizard_execution_non_default_location.yml │ │ └── proc_creation_win_xwizard_runwizard_com_object_exec.yml │ ├── process_tampering/ │ │ └── proc_tampering_susp_process_hollowing.yml │ ├── raw_access_thread/ │ │ └── raw_access_thread_susp_disk_access_using_uncommon_tools.yml │ ├── registry/ │ │ ├── registry_add/ │ │ │ └── registry_add_persistence_disk_cleanup_handler_entry.yml │ │ ├── registry_delete/ │ │ │ ├── registry_delete_defender_context_menu.yml │ │ │ ├── registry_delete_disable_credential_guard.yml │ │ │ ├── registry_delete_enable_windows_recall.yml │ │ │ ├── registry_delete_exploit_guard_protected_folders.yml │ │ │ ├── registry_delete_mstsc_history_cleared.yml │ │ │ ├── registry_delete_removal_amsi_registry_key.yml │ │ │ ├── registry_delete_removal_com_hijacking_registry_key.yml │ │ │ ├── registry_delete_runmru.yml │ │ │ ├── registry_delete_schtasks_hide_task_via_index_value_removal.yml │ │ │ └── registry_delete_schtasks_hide_task_via_sd_value_removal.yml │ │ ├── registry_event/ │ │ │ ├── registry_event_add_local_hidden_user.yml │ │ │ ├── registry_event_bypass_via_wsreset.yml │ │ │ ├── registry_event_cmstp_execution_by_registry.yml │ │ │ ├── registry_event_defender_threat_action_modified.yml │ │ │ ├── registry_event_disable_security_events_logging_adding_reg_key_minint.yml │ │ │ ├── registry_event_disable_wdigest_credential_guard.yml │ │ │ ├── registry_event_esentutl_volume_shadow_copy_service_keys.yml │ │ │ ├── registry_event_hack_wce_reg.yml │ │ │ ├── registry_event_hybridconnectionmgr_svc_installation.yml │ │ │ ├── registry_event_mal_azorult.yml │ │ │ ├── registry_event_malware_qakbot_registry.yml │ │ │ ├── registry_event_modify_screensaver_binary_path.yml │ │ │ ├── registry_event_narrator_feedback_persistance.yml │ │ │ ├── registry_event_net_ntlm_downgrade.yml │ │ │ ├── registry_event_new_dll_added_to_appcertdlls_registry_key.yml │ │ │ ├── registry_event_new_dll_added_to_appinit_dlls_registry_key.yml │ │ │ ├── registry_event_office_test_regadd.yml │ │ │ ├── registry_event_office_trust_record_modification.yml │ │ │ ├── registry_event_persistence_recycle_bin.yml │ │ │ ├── registry_event_portproxy_registry_key.yml │ │ │ ├── registry_event_redmimicry_winnti_reg.yml │ │ │ ├── registry_event_runkey_winekey.yml │ │ │ ├── registry_event_runonce_persistence.yml │ │ │ ├── registry_event_shell_open_keys_manipulation.yml │ │ │ ├── registry_event_silentprocessexit_lsass.yml │ │ │ ├── registry_event_ssp_added_lsa_config.yml │ │ │ ├── registry_event_stickykey_like_backdoor.yml │ │ │ ├── registry_event_susp_atbroker_change.yml │ │ │ ├── registry_event_susp_download_run_key.yml │ │ │ ├── registry_event_susp_lsass_dll_load.yml │ │ │ ├── registry_event_susp_mic_cam_access.yml │ │ │ ├── registry_event_susp_process_registry_modification.yml │ │ │ └── registry_set_enable_anonymous_connection.yml │ │ └── registry_set/ │ │ ├── registry_set_add_load_service_in_safe_mode.yml │ │ ├── registry_set_add_port_monitor.yml │ │ ├── registry_set_aedebug_persistence.yml │ │ ├── registry_set_allow_rdp_remote_assistance_feature.yml │ │ ├── registry_set_amsi_com_hijack.yml │ │ ├── registry_set_amsi_disable.yml │ │ ├── registry_set_asep_reg_keys_modification_classes.yml │ │ ├── registry_set_asep_reg_keys_modification_common.yml │ │ ├── registry_set_asep_reg_keys_modification_currentcontrolset.yml │ │ ├── registry_set_asep_reg_keys_modification_currentversion.yml │ │ ├── registry_set_asep_reg_keys_modification_currentversion_nt.yml │ │ ├── registry_set_asep_reg_keys_modification_internet_explorer.yml │ │ ├── registry_set_asep_reg_keys_modification_office.yml │ │ ├── registry_set_asep_reg_keys_modification_session_manager.yml │ │ ├── registry_set_asep_reg_keys_modification_system_scripts.yml │ │ ├── registry_set_asep_reg_keys_modification_winsock2.yml │ │ ├── registry_set_asep_reg_keys_modification_wow6432node.yml │ │ ├── registry_set_asep_reg_keys_modification_wow6432node_classes.yml │ │ ├── registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml │ │ ├── registry_set_bginfo_custom_db.yml │ │ ├── registry_set_bginfo_custom_vbscript.yml │ │ ├── registry_set_bginfo_custom_wmi_query.yml │ │ ├── registry_set_bypass_uac_using_delegateexecute.yml │ │ ├── registry_set_bypass_uac_using_eventviewer.yml │ │ ├── registry_set_bypass_uac_using_silentcleanup_task.yml │ │ ├── registry_set_change_rdp_port.yml │ │ ├── registry_set_change_security_zones.yml │ │ ├── registry_set_change_sysmon_driver_altitude.yml │ │ ├── registry_set_change_winevt_channelaccess.yml │ │ ├── registry_set_chrome_extension.yml │ │ ├── registry_set_clickonce_trust_prompt.yml │ │ ├── registry_set_cobaltstrike_service_installs.yml │ │ ├── registry_set_comhijack_sdclt.yml │ │ ├── registry_set_crashdump_disabled.yml │ │ ├── registry_set_create_minint_key.yml │ │ ├── registry_set_creation_service_susp_folder.yml │ │ ├── registry_set_credential_guard_disabled.yml │ │ ├── registry_set_custom_file_open_handler_powershell_execution.yml │ │ ├── registry_set_dbgmanageddebugger_persistence.yml │ │ ├── registry_set_defender_exclusions.yml │ │ ├── registry_set_desktop_background_change.yml │ │ ├── registry_set_devdrv_disallow_antivirus_filter.yml │ │ ├── registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml │ │ ├── registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml │ │ ├── registry_set_dhcp_calloutdll.yml │ │ ├── registry_set_disable_administrative_share.yml │ │ ├── registry_set_disable_autologger_sessions.yml │ │ ├── registry_set_disable_defender_firewall.yml │ │ ├── registry_set_disable_function_user.yml │ │ ├── registry_set_disable_macroruntimescanscope.yml │ │ ├── registry_set_disable_privacy_settings_experience.yml │ │ ├── registry_set_disable_security_center_notifications.yml │ │ ├── registry_set_disable_system_restore.yml │ │ ├── registry_set_disable_windows_defender_service.yml │ │ ├── registry_set_disable_windows_event_log_access.yml │ │ ├── registry_set_disable_windows_firewall.yml │ │ ├── registry_set_disable_winevt_logging.yml │ │ ├── registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml │ │ ├── registry_set_disabled_microsoft_defender_eventlog.yml │ │ ├── registry_set_disabled_pua_protection_on_microsoft_defender.yml │ │ ├── registry_set_disabled_tamper_protection_on_microsoft_defender.yml │ │ ├── registry_set_disallowrun_execution.yml │ │ ├── registry_set_disk_cleanup_handler_autorun_persistence.yml │ │ ├── registry_set_dns_over_https_enabled.yml │ │ ├── registry_set_dns_server_level_plugin_dll.yml │ │ ├── registry_set_dot_net_etw_tamper.yml │ │ ├── registry_set_dsrm_tampering.yml │ │ ├── registry_set_enable_periodic_backup.yml │ │ ├── registry_set_enable_windows_recall.yml │ │ ├── registry_set_enabling_cor_profiler_env_variables.yml │ │ ├── registry_set_enabling_turnoffcheck.yml │ │ ├── registry_set_evtx_file_key_tamper.yml │ │ ├── registry_set_exploit_guard_susp_allowed_apps.yml │ │ ├── registry_set_fax_change_service_user.yml │ │ ├── registry_set_fax_dll_persistance.yml │ │ ├── registry_set_file_association_exefile.yml │ │ ├── registry_set_filefix_typedpath_commands.yml │ │ ├── registry_set_hangs_debugger_persistence.yml │ │ ├── registry_set_hhctrl_persistence.yml │ │ ├── registry_set_hidden_extention.yml │ │ ├── registry_set_hide_file.yml │ │ ├── registry_set_hide_function_user.yml │ │ ├── registry_set_hide_scheduled_task_via_index_tamper.yml │ │ ├── registry_set_hvci_disallowed_images.yml │ │ ├── registry_set_ie_security_zone_protocol_defaults_downgrade.yml │ │ ├── registry_set_ime_non_default_extension.yml │ │ ├── registry_set_ime_suspicious_paths.yml │ │ ├── registry_set_install_root_or_ca_certificat.yml │ │ ├── registry_set_internet_explorer_disable_first_run_customize.yml │ │ ├── registry_set_legalnotice_susp_message.yml │ │ ├── registry_set_lolbin_onedrivestandaloneupdater.yml │ │ ├── registry_set_lsa_disablerestrictedadmin.yml │ │ ├── registry_set_lsass_usermode_dumping.yml │ │ ├── registry_set_net_cli_ngenassemblyusagelog.yml │ │ ├── registry_set_netsh_help_dll_persistence_susp_location.yml │ │ ├── registry_set_netsh_helper_dll_potential_persistence.yml │ │ ├── registry_set_new_application_appcompat.yml │ │ ├── registry_set_new_network_provider.yml │ │ ├── registry_set_odbc_driver_registered.yml │ │ ├── registry_set_odbc_driver_registered_susp.yml │ │ ├── registry_set_office_access_vbom_tamper.yml │ │ ├── registry_set_office_disable_protected_view_features.yml │ │ ├── registry_set_office_disable_python_security_warnings.yml │ │ ├── registry_set_office_enable_dde.yml │ │ ├── registry_set_office_outlook_enable_load_macro_provider_on_boot.yml │ │ ├── registry_set_office_outlook_enable_macro_execution.yml │ │ ├── registry_set_office_outlook_enable_unsafe_client_mail_rules.yml │ │ ├── registry_set_office_outlook_security_settings.yml │ │ ├── registry_set_office_trust_record_susp_location.yml │ │ ├── registry_set_office_trusted_location_uncommon.yml │ │ ├── registry_set_office_vba_warnings_tamper.yml │ │ ├── registry_set_optimize_file_sharing_network.yml │ │ ├── registry_set_persistence_amsi_providers.yml │ │ ├── registry_set_persistence_app_cpmpat_layer_registerapprestart.yml │ │ ├── registry_set_persistence_app_paths.yml │ │ ├── registry_set_persistence_appx_debugger.yml │ │ ├── registry_set_persistence_autodial_dll.yml │ │ ├── registry_set_persistence_chm.yml │ │ ├── registry_set_persistence_com_hijacking_builtin.yml │ │ ├── registry_set_persistence_com_key_linking.yml │ │ ├── registry_set_persistence_comhijack_psfactorybuffer.yml │ │ ├── registry_set_persistence_custom_protocol_handler.yml │ │ ├── registry_set_persistence_event_viewer_events_asp.yml │ │ ├── registry_set_persistence_globalflags.yml │ │ ├── registry_set_persistence_ie.yml │ │ ├── registry_set_persistence_ifilter.yml │ │ ├── registry_set_persistence_logon_scripts_userinitmprlogonscript.yml │ │ ├── registry_set_persistence_lsa_extension.yml │ │ ├── registry_set_persistence_mpnotify.yml │ │ ├── registry_set_persistence_mycomputer.yml │ │ ├── registry_set_persistence_natural_language.yml │ │ ├── registry_set_persistence_office_vsto.yml │ │ ├── registry_set_persistence_outlook_homepage.yml │ │ ├── registry_set_persistence_outlook_todaypage.yml │ │ ├── registry_set_persistence_reflectdebugger.yml │ │ ├── registry_set_persistence_scrobj_dll.yml │ │ ├── registry_set_persistence_shim_database.yml │ │ ├── registry_set_persistence_shim_database_susp_application.yml │ │ ├── registry_set_persistence_shim_database_uncommon_location.yml │ │ ├── registry_set_persistence_typed_paths.yml │ │ ├── registry_set_persistence_xll.yml │ │ ├── registry_set_policies_associations_tamper.yml │ │ ├── registry_set_policies_attachments_tamper.yml │ │ ├── registry_set_potential_clickfix_execution.yml │ │ ├── registry_set_potential_oci_dll_redirection.yml │ │ ├── registry_set_powershell_as_service.yml │ │ ├── registry_set_powershell_enablescripts_enabled.yml │ │ ├── registry_set_powershell_execution_policy.yml │ │ ├── registry_set_powershell_in_run_keys.yml │ │ ├── registry_set_powershell_logging_disabled.yml │ │ ├── registry_set_provisioning_command_abuse.yml │ │ ├── registry_set_pua_sysinternals_execution_via_eula.yml │ │ ├── registry_set_pua_sysinternals_renamed_execution_via_eula.yml │ │ ├── registry_set_pua_sysinternals_susp_execution_via_eula.yml │ │ ├── registry_set_renamed_sysinternals_eula_accepted.yml │ │ ├── registry_set_rpcrt4_etw_tamper.yml │ │ ├── registry_set_runmru_susp_command_execution.yml │ │ ├── registry_set_scr_file_executed_by_rundll32.yml │ │ ├── registry_set_sentinelone_shell_context_tampering.yml │ │ ├── registry_set_servicedll_hijack.yml │ │ ├── registry_set_services_etw_tamper.yml │ │ ├── registry_set_set_nopolicies_user.yml │ │ ├── registry_set_sip_persistence.yml │ │ ├── registry_set_sophos_av_tamper.yml │ │ ├── registry_set_special_accounts.yml │ │ ├── registry_set_suppress_defender_notifications.yml │ │ ├── registry_set_susp_keyboard_layout_load.yml │ │ ├── registry_set_susp_pendingfilerenameoperations.yml │ │ ├── registry_set_susp_printer_driver.yml │ │ ├── registry_set_susp_reg_persist_explorer_run.yml │ │ ├── registry_set_susp_run_key_img_folder.yml │ │ ├── registry_set_susp_runmru_space_character.yml │ │ ├── registry_set_susp_service_installed.yml │ │ ├── registry_set_susp_shell_open_keys_modification_patterns.yml │ │ ├── registry_set_susp_typedpaths_space_characters.yml │ │ ├── registry_set_susp_user_shell_folders.yml │ │ ├── registry_set_susp_wfp_filter_added.yml │ │ ├── registry_set_suspicious_env_variables.yml │ │ ├── registry_set_system_lsa_nolmhash.yml │ │ ├── registry_set_taskcache_entry.yml │ │ ├── registry_set_telemetry_persistence.yml │ │ ├── registry_set_terminal_server_suspicious.yml │ │ ├── registry_set_terminal_server_tampering.yml │ │ ├── registry_set_timeproviders_dllname.yml │ │ ├── registry_set_tls_protocol_old_version_enabled.yml │ │ ├── registry_set_treatas_persistence.yml │ │ ├── registry_set_turn_on_dev_features.yml │ │ ├── registry_set_uac_bypass_eventvwr.yml │ │ ├── registry_set_uac_bypass_sdclt.yml │ │ ├── registry_set_uac_bypass_winsat.yml │ │ ├── registry_set_uac_bypass_wmp.yml │ │ ├── registry_set_uac_disable.yml │ │ ├── registry_set_uac_disable_notification.yml │ │ ├── registry_set_uac_disable_secure_desktop_prompt.yml │ │ ├── registry_set_vbs_payload_stored.yml │ │ ├── registry_set_vulnerable_driver_blocklist_disable.yml │ │ ├── registry_set_wab_dllpath_reg_change.yml │ │ ├── registry_set_wdigest_enable_uselogoncredential.yml │ │ ├── registry_set_windows_defender_tamper.yml │ │ ├── registry_set_winget_admin_settings_tampering.yml │ │ ├── registry_set_winget_enable_local_manifest.yml │ │ ├── registry_set_winlogon_allow_multiple_tssessions.yml │ │ └── registry_set_winlogon_notify_key.yml │ ├── sysmon/ │ │ ├── sysmon_config_modification.yml │ │ ├── sysmon_config_modification_error.yml │ │ ├── sysmon_config_modification_status.yml │ │ ├── sysmon_file_block_executable.yml │ │ ├── sysmon_file_block_shredding.yml │ │ └── sysmon_file_executable_detected.yml │ └── wmi_event/ │ ├── sysmon_wmi_event_subscription.yml │ ├── sysmon_wmi_susp_encoded_scripts.yml │ └── sysmon_wmi_susp_scripting.yml ├── rules-compliance/ │ ├── README.md │ ├── other/ │ │ └── netflow_cleartext_protocols.yml │ └── product/ │ └── qualys/ │ ├── qualys_default_credentials_usage.yml │ └── qualys_host_without_firewall.yml ├── rules-dfir/ │ └── README.md ├── rules-emerging-threats/ │ ├── 2010/ │ │ └── Exploits/ │ │ └── CVE-2010-5278/ │ │ └── web_cve_2010_5278_exploitation_attempt.yml │ ├── 2014/ │ │ ├── Exploits/ │ │ │ └── CVE-2014-6287/ │ │ │ └── web_cve_2014_6287_hfs_rce.yml │ │ └── TA/ │ │ ├── Axiom/ │ │ │ └── proc_creation_win_apt_zxshell.yml │ │ └── Turla/ │ │ ├── proc_creation_win_apt_turla_commands_critical.yml │ │ └── proc_creation_win_apt_turla_comrat_may20.yml │ ├── 2015/ │ │ └── Exploits/ │ │ └── CVE-2015-1641/ │ │ └── proc_creation_win_exploit_cve_2015_1641.yml │ ├── 2017/ │ │ ├── Exploits/ │ │ │ ├── CVE-2017-0261/ │ │ │ │ └── proc_creation_win_exploit_cve_2017_0261.yml │ │ │ ├── CVE-2017-11882/ │ │ │ │ └── proc_creation_win_exploit_cve_2017_11882.yml │ │ │ └── CVE-2017-8759/ │ │ │ └── proc_creation_win_exploit_cve_2017_8759.yml │ │ ├── Malware/ │ │ │ ├── Adwind-RAT/ │ │ │ │ └── proc_creation_win_malware_adwind.yml │ │ │ ├── CosmicDuke/ │ │ │ │ └── win_security_mal_cosmik_duke_persistence.yml │ │ │ ├── Fireball/ │ │ │ │ └── proc_creation_win_malware_fireball.yml │ │ │ ├── Hancitor/ │ │ │ │ └── proc_access_win_malware_verclsid_shellcode.yml │ │ │ ├── NotPetya/ │ │ │ │ └── proc_creation_win_malware_notpetya.yml │ │ │ ├── PlugX/ │ │ │ │ └── proc_creation_win_malware_plugx_susp_exe_locations.yml │ │ │ ├── StoneDrill/ │ │ │ │ └── win_system_apt_stonedrill.yml │ │ │ └── WannaCry/ │ │ │ └── proc_creation_win_malware_wannacry.yml │ │ └── TA/ │ │ ├── APT10/ │ │ │ └── proc_creation_win_apt_apt10_cloud_hopper.yml │ │ ├── Dragonfly/ │ │ │ └── proc_creation_win_apt_ta17_293a_ps.yml │ │ ├── Equation-Group/ │ │ │ └── net_firewall_apt_equationgroup_c2.yml │ │ ├── Lazarus/ │ │ │ └── proc_creation_win_apt_lazarus_binary_masquerading.yml │ │ ├── Pandemic/ │ │ │ └── registry_event_apt_pandemic.yml │ │ └── Turla/ │ │ ├── pipe_created_apt_turla_named_pipes.yml │ │ ├── win_system_apt_carbonpaper_turla.yml │ │ └── win_system_apt_turla_service_png.yml │ ├── 2018/ │ │ ├── Exploits/ │ │ │ ├── CVE-2018-13379/ │ │ │ │ └── web_cve_2018_13379_fortinet_preauth_read_exploit.yml │ │ │ ├── CVE-2018-15473/ │ │ │ │ └── lnx_sshd_exploit_cve_2018_15473.yml │ │ │ └── CVE-2018-2894/ │ │ │ └── web_cve_2018_2894_weblogic_exploit.yml │ │ ├── Malware/ │ │ │ └── Elise-Backdoor/ │ │ │ └── proc_creation_win_malware_elise.yml │ │ └── TA/ │ │ ├── APT27/ │ │ │ └── proc_creation_win_apt_apt27_emissary_panda.yml │ │ ├── APT28/ │ │ │ └── proc_creation_win_apt_sofacy.yml │ │ ├── APT29-CozyBear/ │ │ │ ├── file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml │ │ │ └── proc_creation_win_apt_apt29_phishing_campaign_indicators.yml │ │ ├── APT32-Oceanlotus/ │ │ │ └── registry_event_apt_oceanlotus_registry.yml │ │ ├── MuddyWater/ │ │ │ └── proc_creation_win_apt_muddywater_activity.yml │ │ ├── OilRig/ │ │ │ ├── proc_creation_win_apt_oilrig_mar18.yml │ │ │ ├── registry_event_apt_oilrig_mar18.yml │ │ │ ├── win_security_apt_oilrig_mar18.yml │ │ │ └── win_system_apt_oilrig_mar18.yml │ │ ├── Slingshot/ │ │ │ ├── proc_creation_win_apt_slingshot.yml │ │ │ └── win_security_apt_slingshot.yml │ │ └── TropicTrooper/ │ │ └── proc_creation_win_apt_tropictrooper.yml │ ├── 2019/ │ │ ├── Exploits/ │ │ │ ├── BearLPE-Exploit/ │ │ │ │ └── proc_creation_win_exploit_other_bearlpe.yml │ │ │ ├── CVE-2019-0708/ │ │ │ │ ├── win_security_exploit_cve_2019_0708_scanner_poc.yml │ │ │ │ └── win_system_exploit_cve_2019_0708.yml │ │ │ ├── CVE-2019-11510/ │ │ │ │ └── web_cve_2019_11510_pulsesecure_exploit.yml │ │ │ ├── CVE-2019-1378/ │ │ │ │ └── proc_creation_win_exploit_cve_2019_1378.yml │ │ │ ├── CVE-2019-1388/ │ │ │ │ └── proc_creation_win_exploit_cve_2019_1388.yml │ │ │ ├── CVE-2019-14287/ │ │ │ │ ├── lnx_sudo_exploit_cve_2019_14287.yml │ │ │ │ └── proc_creation_lnx_exploit_cve_2019_14287.yml │ │ │ ├── CVE-2019-19781/ │ │ │ │ └── web_cve_2019_19781_citrix_exploit.yml │ │ │ └── CVE-2019-3398/ │ │ │ └── web_cve_2019_3398_confluence.yml │ │ ├── Malware/ │ │ │ ├── BabyShark/ │ │ │ │ └── proc_creation_win_malware_babyshark.yml │ │ │ ├── Chafer/ │ │ │ │ └── proxy_malware_chafer_url_pattern.yml │ │ │ ├── Dridex/ │ │ │ │ └── proc_creation_win_malware_dridex.yml │ │ │ ├── Dtrack-RAT/ │ │ │ │ └── proc_creation_win_malware_dtrack.yml │ │ │ ├── Emotet/ │ │ │ │ └── proc_creation_win_malware_emotet.yml │ │ │ ├── Formbook/ │ │ │ │ └── proc_creation_win_malware_formbook.yml │ │ │ ├── LockerGoga/ │ │ │ │ └── proc_creation_win_malware_lockergoga_ransomware.yml │ │ │ ├── QBot/ │ │ │ │ └── proc_creation_win_malware_qbot.yml │ │ │ ├── Ryuk/ │ │ │ │ └── proc_creation_win_malware_ryuk.yml │ │ │ ├── Snatch/ │ │ │ │ └── proc_creation_win_malware_snatch_ransomware.yml │ │ │ └── Ursnif/ │ │ │ ├── proxy_malware_ursnif_c2_url.yml │ │ │ ├── proxy_malware_ursnif_download_url.yml │ │ │ └── registry_add_malware_ursnif.yml │ │ └── TA/ │ │ ├── APC-C-12/ │ │ │ └── proc_creation_win_apt_aptc12_bluemushroom.yml │ │ ├── APT31/ │ │ │ └── proc_creation_win_apt_apt31_judgement_panda.yml │ │ ├── APT40/ │ │ │ └── proxy_apt_apt40_dropbox_tool_ua.yml │ │ ├── Bear-APT-Activity/ │ │ │ └── proc_creation_win_apt_bear_activity_gtr19.yml │ │ ├── EmpireMonkey/ │ │ │ └── proc_creation_win_apt_empiremonkey.yml │ │ ├── EquationGroup/ │ │ │ └── proc_creation_win_apt_equationgroup_dll_u_load.yml │ │ ├── MustangPanda/ │ │ │ └── proc_creation_win_apt_mustangpanda.yml │ │ └── Operation-Wocao/ │ │ ├── README.md │ │ ├── proc_creation_win_apt_wocao.yml │ │ └── win_security_apt_wocao.yml │ ├── 2020/ │ │ ├── Exploits/ │ │ │ ├── CVE-2020-0688/ │ │ │ │ ├── web_cve_2020_0688_exchange_exploit.yml │ │ │ │ ├── web_cve_2020_0688_msexchange.yml │ │ │ │ └── win_vul_cve_2020_0688.yml │ │ │ ├── CVE-2020-10148/ │ │ │ │ └── web_cve_2020_10148_solarwinds_exploit.yml │ │ │ ├── CVE-2020-10189/ │ │ │ │ └── proc_creation_win_exploit_cve_2020_10189.yml │ │ │ ├── CVE-2020-1048/ │ │ │ │ ├── proc_creation_win_exploit_cve_2020_1048.yml │ │ │ │ └── registry_set_exploit_cve_2020_1048_new_printer_port.yml │ │ │ ├── CVE-2020-1350/ │ │ │ │ └── proc_creation_win_exploit_cve_2020_1350.yml │ │ │ ├── CVE-2020-1472/ │ │ │ │ └── proc_creation_win_exploit_cve_2020_1472_zero_poc.yml │ │ │ ├── CVE-2020-14882/ │ │ │ │ └── web_cve_2020_14882_weblogic_exploit.yml │ │ │ ├── CVE-2020-28188/ │ │ │ │ └── web_cve_2020_28188_terramaster_rce_exploit.yml │ │ │ ├── CVE-2020-3452/ │ │ │ │ └── web_cve_2020_3452_cisco_asa_ftd.yml │ │ │ ├── CVE-2020-5902/ │ │ │ │ └── web_cve_2020_5902_f5_bigip.yml │ │ │ └── CVE-2020-8193/ │ │ │ └── web_cve_2020_8193_8195_citrix_exploit.yml │ │ ├── Malware/ │ │ │ ├── Blue-Mockingbird/ │ │ │ │ ├── proc_creation_win_malware_blue_mockingbird.yml │ │ │ │ └── registry_set_mal_blue_mockingbird.yml │ │ │ ├── ComRAT/ │ │ │ │ └── proxy_malware_comrat_network_indicators.yml │ │ │ ├── Emotet/ │ │ │ │ └── proc_creation_win_malware_emotet_rundll32_execution.yml │ │ │ ├── FlowCloud/ │ │ │ │ └── registry_event_malware_flowcloud_markers.yml │ │ │ ├── Ke3chang-TidePool/ │ │ │ │ └── proc_creation_win_malware_ke3chang_tidepool.yml │ │ │ ├── Maze/ │ │ │ │ └── proc_creation_win_malware_maze_ransomware.yml │ │ │ └── Trickbot/ │ │ │ └── proc_creation_win_malware_trickbot_wermgr.yml │ │ └── TA/ │ │ ├── Evilnum/ │ │ │ └── proc_creation_win_apt_evilnum_jul20.yml │ │ ├── GALLIUM/ │ │ │ ├── proc_creation_win_apt_gallium_iocs.yml │ │ │ └── win_dns_analytic_apt_gallium.yml │ │ ├── Greenbug/ │ │ │ └── proc_creation_win_apt_greenbug_may20.yml │ │ ├── Lazarus/ │ │ │ └── proc_creation_win_apt_lazarus_group_activity.yml │ │ ├── Leviathan/ │ │ │ └── registry_event_apt_leviathan.yml │ │ ├── SolarWinds-Supply-Chain/ │ │ │ ├── README.md │ │ │ ├── proc_creation_win_apt_unc2452_cmds.yml │ │ │ ├── proc_creation_win_apt_unc2452_ps.yml │ │ │ ├── proc_creation_win_apt_unc2452_vbscript_pattern.yml │ │ │ └── web_solarwinds_supernova_webshell.yml │ │ ├── TAIDOOR-RAT/ │ │ │ └── proc_creation_win_apt_taidoor.yml │ │ └── Winnti/ │ │ ├── proc_creation_win_apt_winnti_mal_hk_jan20.yml │ │ └── proc_creation_win_apt_winnti_pipemon.yml │ ├── 2021/ │ │ ├── Exploits/ │ │ │ ├── CVE-2021-1675/ │ │ │ │ ├── av_exploit_cve_2021_34527_print_nightmare.yml │ │ │ │ ├── file_delete_win_exploit_cve_2021_1675_print_nightmare.yml │ │ │ │ ├── file_event_win_exploit_cve_2021_1675_printspooler.yml │ │ │ │ ├── image_load_exploit_cve_2021_1675_spoolsv_dll_load.yml │ │ │ │ ├── registry_event_cve_2021_1675_mimikatz_printernightmare_drivers.yml │ │ │ │ ├── win_exploit_cve_2021_1675_printspooler.yml │ │ │ │ ├── win_exploit_cve_2021_1675_printspooler_operational.yml │ │ │ │ ├── win_security_exploit_cve_2021_1675_printspooler_security.yml │ │ │ │ └── zeek_dce_rpc_exploit_cve_2021_1675_printnightmare_print_driver_install.yml │ │ │ ├── CVE-2021-20090/ │ │ │ │ └── web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml │ │ │ ├── CVE-2021-2109/ │ │ │ │ └── web_cve_2021_2109_weblogic_rce_exploit.yml │ │ │ ├── CVE-2021-21972/ │ │ │ │ └── web_cve_2021_21972_vsphere_unauth_rce_exploit.yml │ │ │ ├── CVE-2021-21978/ │ │ │ │ └── web_cve_2021_21978_vmware_view_planner_exploit.yml │ │ │ ├── CVE-2021-22005/ │ │ │ │ └── web_cve_2021_22005_vmware_file_upload.yml │ │ │ ├── CVE-2021-22123/ │ │ │ │ └── web_cve_2021_22123_fortinet_exploit.yml │ │ │ ├── CVE-2021-22893/ │ │ │ │ └── web_cve_2021_22893_pulse_secure_rce_exploit.yml │ │ │ ├── CVE-2021-26084/ │ │ │ │ ├── proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml │ │ │ │ └── web_cve_2021_26084_confluence_rce_exploit.yml │ │ │ ├── CVE-2021-26814/ │ │ │ │ └── web_cve_2021_26814_wzuh_rce.yml │ │ │ ├── CVE-2021-26857/ │ │ │ │ └── proc_creation_win_exploit_cve_2021_26857_msexchange.yml │ │ │ ├── CVE-2021-26858/ │ │ │ │ ├── file_event_win_cve_2021_26858_msexchange.yml │ │ │ │ └── web_cve_2021_26858_iis_rce.yml │ │ │ ├── CVE-2021-27905/ │ │ │ │ └── web_cve_2021_27905_apache_solr_exploit.yml │ │ │ ├── CVE-2021-28480/ │ │ │ │ └── web_cve_2021_28480_exchange_exploit.yml │ │ │ ├── CVE-2021-33766/ │ │ │ │ └── web_cve_2021_33766_msexchange_proxytoken.yml │ │ │ ├── CVE-2021-33771/ │ │ │ │ ├── file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml │ │ │ │ └── registry_set_cve_2021_31979_cve_2021_33771_exploits.yml │ │ │ ├── CVE-2021-35211/ │ │ │ │ └── proc_creation_win_exploit_cve_2021_35211_servu.yml │ │ │ ├── CVE-2021-38647/ │ │ │ │ └── zeek_http_exploit_cve_2021_38647_omigod_no_auth_rce.yml │ │ │ ├── CVE-2021-4034/ │ │ │ │ └── lnx_auth_exploit_cve_2021_4034_pwnkit_lpe.yml │ │ │ ├── CVE-2021-40444/ │ │ │ │ ├── file_event_win_exploit_cve_2021_40444.yml │ │ │ │ ├── proc_creation_win_exploit_cve_2021_40444.yml │ │ │ │ └── proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml │ │ │ ├── CVE-2021-40539/ │ │ │ │ ├── web_cve_2021_40539_adselfservice.yml │ │ │ │ └── web_cve_2021_40539_manageengine_adselfservice_exploit.yml │ │ │ ├── CVE-2021-41379/ │ │ │ │ ├── file_event_win_cve_2021_41379_msi_lpe.yml │ │ │ │ ├── proc_creation_win_exploit_cve_2021_41379.yml │ │ │ │ └── win_vul_cve_2021_41379.yml │ │ │ ├── CVE-2021-41773/ │ │ │ │ └── web_cve_2021_41773_apache_path_traversal.yml │ │ │ ├── CVE-2021-42237/ │ │ │ │ └── web_cve_2021_42237_sitecore_report_ashx.yml │ │ │ ├── CVE-2021-42278/ │ │ │ │ └── win_system_exploit_cve_2021_42278.yml │ │ │ ├── CVE-2021-42287/ │ │ │ │ ├── win_security_samaccountname_spoofing_cve_2021_42287.yml │ │ │ │ └── win_system_exploit_cve_2021_42287.yml │ │ │ ├── CVE-2021-42321/ │ │ │ │ └── win_exchange_cve_2021_42321.yml │ │ │ ├── CVE-2021-43798/ │ │ │ │ └── web_cve_2021_43798_grafana.yml │ │ │ ├── CVE-2021-44077/ │ │ │ │ └── file_event_win_cve_2021_44077_poc_default_files.yml │ │ │ ├── CVE-2021-44228/ │ │ │ │ ├── proc_creation_win_exploit_cve_2021_44228_vmware_horizon_log4j.yml │ │ │ │ ├── web_cve_2021_44228_log4j.yml │ │ │ │ └── web_cve_2021_44228_log4j_fields.yml │ │ │ ├── ProxyShell-Exploit/ │ │ │ │ ├── web_exchange_proxyshell.yml │ │ │ │ └── web_exchange_proxyshell_successful.yml │ │ │ ├── RazerInstaller-LPE-Exploit/ │ │ │ │ └── proc_creation_win_exploit_other_razorinstaller_lpe.yml │ │ │ ├── SystemNightmare-Exploit/ │ │ │ │ └── proc_creation_win_exploit_other_systemnightmare.yml │ │ │ └── VisualDoor-Exploit/ │ │ │ ├── README.md │ │ │ └── web_sonicwall_jarrewrite_exploit.yml │ │ ├── Malware/ │ │ │ ├── BlackByte/ │ │ │ │ ├── proc_creation_win_malware_blackbyte_ransomware.yml │ │ │ │ └── registry_set_win_malware_blackbyte_privesc_registry.yml │ │ │ ├── Conti/ │ │ │ │ ├── proc_creation_win_malware_conti.yml │ │ │ │ ├── proc_creation_win_malware_conti_7zip.yml │ │ │ │ ├── proc_creation_win_malware_conti_ransomware_commands.yml │ │ │ │ └── proc_creation_win_malware_conti_ransomware_database_dump.yml │ │ │ ├── DarkSide/ │ │ │ │ └── proc_creation_win_malware_darkside_ransomware.yml │ │ │ ├── Devil-Bait/ │ │ │ │ ├── README.md │ │ │ │ ├── file_event_win_malware_devil_bait_script_drop.yml │ │ │ │ ├── proc_creation_win_malware_devil_bait_output_redirect.yml │ │ │ │ └── proxy_malware_devil_bait_c2_communication.yml │ │ │ ├── FoggyWeb/ │ │ │ │ └── image_load_malware_foggyweb_nobelium.yml │ │ │ ├── Goofy-Guineapig/ │ │ │ │ ├── README.md │ │ │ │ ├── file_event_win_malware_goofy_guineapig_file_indicators.yml │ │ │ │ ├── proc_creation_win_malware_goofy_guineapig_broken_cmd.yml │ │ │ │ ├── proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml │ │ │ │ ├── proxy_malware_goofy_gunieapig_c2_communication.yml │ │ │ │ └── win_system_malware_goofy_guineapig_service_persistence.yml │ │ │ ├── Moriya-Rootkit/ │ │ │ │ └── file_event_win_moriya_rootkit.yml │ │ │ ├── Netwire/ │ │ │ │ └── registry_add_malware_netwire.yml │ │ │ ├── Pingback/ │ │ │ │ ├── file_event_win_malware_pingback_backdoor.yml │ │ │ │ ├── image_load_malware_pingback_backdoor.yml │ │ │ │ └── proc_creation_win_malware_pingback_backdoor.yml │ │ │ └── Small-Sieve/ │ │ │ ├── README.md │ │ │ ├── file_event_win_malware_small_sieve_evasion_typo.yml │ │ │ ├── proc_creation_win_malware_small_sieve_cli_arg.yml │ │ │ ├── proxy_malware_small_sieve_telegram_communication.yml │ │ │ └── registry_set_malware_small_sieve_evasion_typo.yml │ │ └── TA/ │ │ ├── HAFNIUM/ │ │ │ ├── proc_creation_win_apt_hafnium.yml │ │ │ └── web_exchange_exploitation_hafnium.yml │ │ ├── Kaseya-Supply-Chain/ │ │ │ └── proc_creation_win_apt_revil_kaseya.yml │ │ ├── PRIVATELOG/ │ │ │ └── image_load_usp_svchost_clfsw32.yml │ │ ├── SOURGUM/ │ │ │ └── proc_creation_win_apt_sourgrum.yml │ │ └── UNC2546/ │ │ └── web_unc2546_dewmode_php_webshell.yml │ ├── 2022/ │ │ ├── Exploits/ │ │ │ ├── CVE-2022-21554/ │ │ │ │ └── proc_creation_win_exploit_cve_2023_21554_queuejumper.yml │ │ │ ├── CVE-2022-21587/ │ │ │ │ └── web_cve_2022_21587_oracle_ebs.yml │ │ │ ├── CVE-2022-21919/ │ │ │ │ └── win_system_exploit_cve_2022_21919_or_cve_2021_34484.yml │ │ │ ├── CVE-2022-22954/ │ │ │ │ └── proc_creation_win_exploit_cve_2022_22954_vmware_workspace_one_rce.yml │ │ │ ├── CVE-2022-24527/ │ │ │ │ └── file_event_win_cve_2022_24527_lpe.yml │ │ │ ├── CVE-2022-26134/ │ │ │ │ └── proc_creation_lnx_exploit_cve_2022_26134_atlassian_confluence.yml │ │ │ ├── CVE-2022-26809/ │ │ │ │ └── proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml │ │ │ ├── CVE-2022-27925/ │ │ │ │ └── web_cve_2022_27925_exploit.yml │ │ │ ├── CVE-2022-29072/ │ │ │ │ └── proc_creation_win_exploit_cve_2022_29072_7zip.yml │ │ │ ├── CVE-2022-29799/ │ │ │ │ └── lnx_exploit_cve_2022_27999_cve_2022_27800.yml │ │ │ ├── CVE-2022-30190/ │ │ │ │ └── registry_set_exploit_cve_2022_30190_msdt_follina.yml │ │ │ ├── CVE-2022-31656/ │ │ │ │ └── web_cve_2022_31656_auth_bypass.yml │ │ │ ├── CVE-2022-31659/ │ │ │ │ └── web_cve_2022_31659_vmware_rce.yml │ │ │ ├── CVE-2022-33891/ │ │ │ │ ├── proc_creation_lnx_exploit_cve_2022_33891_spark_shell_command_injection.yml │ │ │ │ └── web_cve_2022_33891_spark_shell_command_injection.yml │ │ │ ├── CVE-2022-36804/ │ │ │ │ └── web_cve_2022_36804_atlassian_bitbucket_command_injection.yml │ │ │ ├── CVE-2022-37966/ │ │ │ │ └── win_system_exploit_cve_2022_37966_kdcsvc_rc4_downgrade.yml │ │ │ ├── CVE-2022-41082/ │ │ │ │ ├── proxy_cve_2022_36804_exchange_owassrf_exploitation.yml │ │ │ │ ├── proxy_cve_2022_36804_exchange_owassrf_poc_exploitation.yml │ │ │ │ ├── web_cve_2022_36804_exchange_owassrf_exploitation.yml │ │ │ │ └── web_cve_2022_36804_exchange_owassrf_poc_exploitation.yml │ │ │ ├── CVE-2022-41120/ │ │ │ │ └── proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml │ │ │ ├── CVE-2022-42475/ │ │ │ │ └── fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml │ │ │ ├── CVE-2022-44877/ │ │ │ │ └── web_cve_2022_44877_exploitation_attempt.yml │ │ │ └── CVE-2022-46169/ │ │ │ └── web_cve_2022_46169_cacti_exploitation_attempt.yml │ │ ├── Malware/ │ │ │ ├── BlueSky-Ransomware/ │ │ │ │ └── win_security_malware_bluesky_ransomware_files_indicators.yml │ │ │ ├── Bumblebee/ │ │ │ │ └── create_remote_thread_win_malware_bumblebee.yml │ │ │ ├── ChromeLoader/ │ │ │ │ └── proc_creation_win_malware_chrome_loader_execution.yml │ │ │ ├── Emotet/ │ │ │ │ └── proc_creation_win_malware_emotet_loader_execution.yml │ │ │ ├── Hermetic-Wiper/ │ │ │ │ └── proc_creation_win_malware_hermetic_wiper_activity.yml │ │ │ ├── Raspberry-Robin/ │ │ │ │ ├── proc_creation_win_malware_raspberry_robin_execution.yml │ │ │ │ ├── proc_creation_win_malware_raspberry_robin_external_drive_exec.yml │ │ │ │ └── proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml │ │ │ ├── Serpent-Backdoor/ │ │ │ │ └── proc_creation_win_malware_serpent_backdoor_payload_execution.yml │ │ │ ├── SocGholish/ │ │ │ │ └── proc_creation_win_malware_socgholish_fakeupdates_activity.yml │ │ │ └── win_mssql_sp_maggie.yml │ │ └── TA/ │ │ ├── ACTINIUM/ │ │ │ └── proc_creation_win_apt_actinium_persistence.yml │ │ └── MERCURY/ │ │ └── proc_creation_win_apt_mercury.yml │ ├── 2023/ │ │ ├── Exploits/ │ │ │ ├── CVE-2023-1389/ │ │ │ │ └── proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21.yml │ │ │ ├── CVE-2023-20198/ │ │ │ │ └── cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml │ │ │ ├── CVE-2023-21554/ │ │ │ │ └── win_cve_2023_21554_msmq_corrupted_packet.yml │ │ │ ├── CVE-2023-22518/ │ │ │ │ ├── proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml │ │ │ │ ├── proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml │ │ │ │ ├── proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml │ │ │ │ └── web_exploit_cve_2023_22518_confluence_auth_bypass.yml │ │ │ ├── CVE-2023-2283/ │ │ │ │ └── lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml │ │ │ ├── CVE-2023-23397/ │ │ │ │ ├── registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml │ │ │ │ ├── win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml │ │ │ │ └── win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml │ │ │ ├── CVE-2023-23752/ │ │ │ │ └── web_cve_2023_23752_joomla_exploit_attempt.yml │ │ │ ├── CVE-2023-25157/ │ │ │ │ └── web_cve_2023_25157_geoserver_sql_injection.yml │ │ │ ├── CVE-2023-25717/ │ │ │ │ └── web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml │ │ │ ├── CVE-2023-27363/ │ │ │ │ └── file_event_win_cve_2023_27363_foxit_rce.yml │ │ │ ├── CVE-2023-27997/ │ │ │ │ └── web_cve_2023_27997_pre_authentication_rce.yml │ │ │ ├── CVE-2023-34362-MOVEit-Transfer-Exploit/ │ │ │ │ ├── README.md │ │ │ │ ├── file_event_win_exploit_cve_2023_34362_moveit_transfer.yml │ │ │ │ ├── proc_creation_win_exploit_cve_2023_34362_moveit_transfer_exploitation_activity.yml │ │ │ │ └── web_cve_2023_34362_known_payload_request.yml.yml │ │ │ ├── CVE-2023-36874/ │ │ │ │ ├── file_event_win_exploit_cve_2023_36874_report_creation.yml │ │ │ │ ├── file_event_win_exploit_cve_2023_36874_wermgr_creation.yml │ │ │ │ └── proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml │ │ │ ├── CVE-2023-36884/ │ │ │ │ ├── file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml │ │ │ │ ├── proxy_exploit_cve_2023_36884_office_windows_html_rce.yml │ │ │ │ ├── proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml │ │ │ │ ├── proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml │ │ │ │ ├── proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml │ │ │ │ └── win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml │ │ │ ├── CVE-2023-38831/ │ │ │ │ ├── file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml │ │ │ │ └── proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml │ │ │ ├── CVE-2023-40477/ │ │ │ │ ├── file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml │ │ │ │ └── win_application_exploit_cve_2023_40477_winrar_crash.yml │ │ │ ├── CVE-2023-43261/ │ │ │ │ ├── proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml │ │ │ │ └── web_exploit_cve_2023_43261_milesight_information_disclosure.yml │ │ │ ├── CVE-2023-46214/ │ │ │ │ ├── web_cve_2023_46214_rce_splunk_enterprise.yml │ │ │ │ └── web_cve_2023_46214_rce_splunk_enterprise_poc.yml │ │ │ ├── CVE-2023-46747/ │ │ │ │ ├── proxy_cve_2023_46747_f5_remote_code_execution.yml │ │ │ │ └── web_cve_2023_46747_f5_remote_code_execution.yml │ │ │ ├── CVE-2023-4966/ │ │ │ │ ├── proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml │ │ │ │ ├── proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml │ │ │ │ ├── web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml │ │ │ │ └── web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml │ │ │ └── Windows-Server-Unknown-Exploit/ │ │ │ └── proc_creation_win_exploit_other_win_server_undocumented_rce.yml │ │ ├── Malware/ │ │ │ ├── COLDSTEEL/ │ │ │ │ ├── README.md │ │ │ │ ├── file_event_win_malware_coldsteel_renamed_cmd.yml │ │ │ │ ├── file_event_win_malware_coldsteel_service_dll_creation.yml │ │ │ │ ├── image_load_malware_coldsteel_persistence_service_dll.yml │ │ │ │ ├── proc_creation_win_malware_coldsteel_anonymous_process.yml │ │ │ │ ├── proc_creation_win_malware_coldsteel_cleanup.yml │ │ │ │ ├── proc_creation_win_malware_coldsteel_service_persistence.yml │ │ │ │ ├── registry_set_malware_coldsteel_created_users.yml │ │ │ │ └── win_system_malware_coldsteel_persistence_service.yml │ │ │ ├── DarkGate/ │ │ │ │ ├── README.md │ │ │ │ ├── file_event_win_malware_darkgate_autoit3_binary_creation.yml │ │ │ │ ├── proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml │ │ │ │ └── proc_creation_win_malware_darkgate_net_user_creation.yml │ │ │ ├── Griffon/ │ │ │ │ └── proc_creation_win_malware_griffon_patterns.yml │ │ │ ├── GuLoader/ │ │ │ │ └── proc_creation_win_malware_guloader_execution.yml │ │ │ ├── IcedID/ │ │ │ │ └── proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml │ │ │ ├── Pikabot/ │ │ │ │ ├── net_connection_win_malware_pikabot_rundll32_activity.yml │ │ │ │ ├── proc_creation_win_malware_pikabot_combined_commands_execution.yml │ │ │ │ ├── proc_creation_win_malware_pikabot_discovery.yml │ │ │ │ ├── proc_creation_win_malware_pikabot_rundll32_hollowing.yml │ │ │ │ └── proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml │ │ │ ├── Qakbot/ │ │ │ │ ├── README.md │ │ │ │ ├── proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml │ │ │ │ ├── proc_creation_win_malware_qakbot_rundll32_execution.yml │ │ │ │ ├── proc_creation_win_malware_qakbot_rundll32_exports.yml │ │ │ │ ├── proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml │ │ │ │ └── proc_creation_win_malware_qakbot_uninstaller_cleanup.yml │ │ │ ├── Rhadamanthys/ │ │ │ │ └── proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml │ │ │ ├── Rorschach/ │ │ │ │ └── proc_creation_win_malware_rorschach_ransomware_activity.yml │ │ │ ├── SNAKE/ │ │ │ │ ├── README.md │ │ │ │ ├── file_event_win_malware_snake_encrypted_payload_ioc.yml │ │ │ │ ├── file_event_win_malware_snake_installers_ioc.yml │ │ │ │ ├── file_event_win_malware_snake_werfault_creation.yml │ │ │ │ ├── proc_creation_win_malware_snake_installer_cli_args.yml │ │ │ │ ├── proc_creation_win_malware_snake_installer_exec.yml │ │ │ │ ├── proc_creation_win_malware_snake_service_execution.yml │ │ │ │ ├── registry_event_malware_snake_covert_store_key.yml │ │ │ │ ├── registry_set_malware_snake_encrypted_key.yml │ │ │ │ └── win_system_malware_snake_persistence_service.yml │ │ │ ├── Ursnif/ │ │ │ │ └── proc_creation_win_malware_ursnif_cmd_redirection.yml │ │ │ └── dns_query_win_malware_socgholish_second_stage_c2.yml │ │ └── TA/ │ │ ├── 3CX-Supply-Chain/ │ │ │ ├── README.md │ │ │ ├── dns_query_win_malware_3cx_compromise.yml │ │ │ ├── image_load_malware_3cx_compromise_susp_dll.yml │ │ │ ├── net_connection_win_malware_3cx_compromise_beaconing_activity.yml │ │ │ ├── proc_creation_win_malware_3cx_compromise_execution.yml │ │ │ ├── proc_creation_win_malware_3cx_compromise_susp_children.yml │ │ │ ├── proc_creation_win_malware_3cx_compromise_susp_update.yml │ │ │ ├── proxy_malware_3cx_compromise_c2_beacon_activity.yml │ │ │ └── proxy_malware_3cx_compromise_susp_ico_requests.yml │ │ ├── Cozy-Bear/ │ │ │ ├── image_load_apt_cozy_bear_graphical_proton_dlls.yml │ │ │ ├── win_security_apt_cozy_bear_scheduled_tasks_name.yml │ │ │ └── win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml │ │ ├── Diamond-Sleet/ │ │ │ ├── README.md │ │ │ ├── dns_query_win_apt_diamond_steel_indicators.yml │ │ │ ├── file_event_win_apt_diamond_sleet_indicators.yml │ │ │ ├── image_load_apt_diamond_sleet_side_load.yml │ │ │ ├── proc_creation_win_apt_diamond_sleet_indicators.yml │ │ │ ├── registry_event_apt_diamond_sleet_scheduled_task.yml │ │ │ └── win_security_apt_diamond_sleet_scheduled_task.yml │ │ ├── EquationGroup/ │ │ │ ├── net_dns_apt_equation_group_triangulation_c2_coms.yml │ │ │ └── proxy_apt_equation_group_triangulation_c2_coms.yml │ │ ├── FIN7/ │ │ │ ├── README.md │ │ │ ├── file_event_win_apt_fin7_powershell_scripts_naming_convention.yml │ │ │ ├── posh_ps_apt_fin7_powerhold.yml │ │ │ ├── posh_ps_apt_fin7_powertrash_execution.yml │ │ │ └── proc_creation_win_apt_fin7_powertrash_lateral_movement.yml │ │ ├── Lace-Tempest/ │ │ │ ├── README.md │ │ │ ├── file_event_win_apt_lace_tempest_indicators.yml │ │ │ ├── posh_ps_apt_lace_tempest_eraser_script.yml │ │ │ ├── posh_ps_apt_lace_tempest_malware_launcher.yml │ │ │ ├── proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml │ │ │ └── proc_creation_win_apt_lace_tempest_loader_execution.yml │ │ ├── Lazarus/ │ │ │ ├── README.md │ │ │ └── image_load_apt_lazarus_side_load_activity.yml │ │ ├── Mint-Sandstorm/ │ │ │ ├── README.md │ │ │ ├── proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml │ │ │ ├── proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml │ │ │ └── proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml │ │ ├── Mustang-Panda-Australia-Campaign/ │ │ │ ├── README.md │ │ │ └── proc_creation_win_apt_mustang_panda_indicators.yml │ │ ├── Okta-Support-System-Breach/ │ │ │ ├── README.md │ │ │ └── okta_apt_suspicious_user_creation.yml │ │ ├── Onyx-Sleet/ │ │ │ ├── README.md │ │ │ └── file_event_win_apt_onyx_sleet_indicators.yml │ │ ├── PaperCut-Print-Management-Exploitation/ │ │ │ ├── README.md │ │ │ ├── proc_creation_win_papercut_print_management_exploitation_indicators.yml │ │ │ └── proc_creation_win_papercut_print_management_exploitation_pc_app.yml │ │ ├── Peach-Sandstorm/ │ │ │ ├── proc_creation_win_apt_peach_sandstorm_indicators.yml │ │ │ └── proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml │ │ └── UNC4841-Barracuda-ESG-Zero-Day-Exploitation/ │ │ ├── README.md │ │ ├── file_event_lnx_apt_unc4841_exfil_mail_pattern.yml │ │ ├── file_event_lnx_apt_unc4841_file_indicators.yml │ │ ├── proc_creation_lnx_apt_unc4841_openssl_connection.yml │ │ ├── proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml │ │ ├── proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml │ │ └── proc_creation_lnx_atp_unc4841_seaspy_execution.yml │ ├── 2024/ │ │ ├── Exploits/ │ │ │ ├── CVE-2024-1212/ │ │ │ │ └── web_exploit_cve_2024_1212_.yml │ │ │ ├── CVE-2024-1708/ │ │ │ │ ├── file_event_win_exploit_cve_2024_1708_screenconnect.yml │ │ │ │ └── win_security_exploit_cve_2024_1708_screenconnect.yml │ │ │ ├── CVE-2024-1709/ │ │ │ │ ├── file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml │ │ │ │ ├── web_exploit_cve_2024_1709_screenconnect.yml │ │ │ │ └── win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml │ │ │ ├── CVE-2024-3094/ │ │ │ │ └── proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml │ │ │ ├── CVE-2024-3400/ │ │ │ │ ├── file_event_paloalto_globalprotect_exploit_cve_2024_3400_command_inject_file_creation.yml │ │ │ │ └── paloalto_globalprotect_exploit_cve_2024_3400_command_injection.yml │ │ │ ├── CVE-2024-35250/ │ │ │ │ └── image_load_exploit_cve_2024_35250_privilege_escalation.yml │ │ │ ├── CVE-2024-37085/ │ │ │ │ ├── proc_creation_win_exploit_cve_2024_37085_esxi_admins_group_creation.yml │ │ │ │ └── win_security_exploit_cve_2024_37085_esxi_admins_group.yml │ │ │ ├── CVE-2024-49113/ │ │ │ │ └── win_application_error_exploit_cve_2024_49113_ldap_nightmare.yml │ │ │ └── CVE-2024-50623/ │ │ │ └── proc_creation_win_exploit_cve_2024_50623_cleo.yml │ │ ├── Malware/ │ │ │ ├── CSharp-Streamer/ │ │ │ │ └── image_load_malware_csharp_streamer_dotnet_load.yml │ │ │ ├── DarkGate/ │ │ │ │ └── file_event_win_malware_darkgate_autoit3_save_temp.yml │ │ │ ├── Generic/ │ │ │ │ └── file_event_win_malware_generic_creation_configuration_rats.yml │ │ │ ├── KamiKakaBot/ │ │ │ │ ├── proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml │ │ │ │ ├── proc_creation_win_malware_kamikakabot_schtasks_persistence.yml │ │ │ │ └── registry_set_malware_kamikakabot_winlogon_persistence.yml │ │ │ ├── Lummac-Stealer/ │ │ │ │ └── proc_creation_win_malware_lummac_more_vbc.yml │ │ │ ├── Raspberry-Robin/ │ │ │ │ ├── image_load_malware_raspberry_robin_side_load_aclui_oleview.yml │ │ │ │ ├── proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml │ │ │ │ └── registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml │ │ │ └── kapeka/ │ │ │ ├── Kapeka.md │ │ │ ├── file_event_win_malware_kapeka_backdoor_indicators.yml │ │ │ ├── image_load_malware_kapeka_backdoor_wll.yml │ │ │ ├── proc_creation_win_malware_kapeka_backdoor_persistence.yml │ │ │ ├── proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml │ │ │ ├── registry_set_malware_kapeka_backdoor_autorun_persistence.yml │ │ │ ├── registry_set_malware_kapeka_backdoor_configuration.yml │ │ │ └── win_security_malware_kapeka_backdoor_scheduled_task_creation.yml │ │ └── TA/ │ │ ├── DPRK/ │ │ │ └── dns_query_win_apt_dprk_malicious_domains.yml │ │ ├── FIN7/ │ │ │ └── proc_creation_win_apt_fin7_exploitation_indicators.yml │ │ ├── Forest-Blizzard/ │ │ │ ├── README.md │ │ │ ├── file_event_win_apt_forest_blizzard_activity.yml │ │ │ ├── file_event_win_apt_forest_blizzard_constrained_js.yml │ │ │ ├── proc_creation_win_apt_forest_blizzard_activity.yml │ │ │ ├── registry_set_apt_forest_blizzard_custom_protocol_handler.yml │ │ │ └── registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml │ │ └── SlashAndGrab-Exploitation-In-Wild/ │ │ └── file_event_win_apt_unknown_exploitation_indicators.yml │ ├── 2025/ │ │ ├── Exploits/ │ │ │ ├── CVE-2025-10035/ │ │ │ │ └── proc_creation_win_exploit_cve_2025_10035.yml │ │ │ ├── CVE-2025-20333/ │ │ │ │ └── proxy_exploit_cve_2025_20333.yml │ │ │ ├── CVE-2025-24054/ │ │ │ │ └── file_event_win_exploit_cve_2025_24054_library_ms.yml │ │ │ ├── CVE-2025-30406/ │ │ │ │ └── proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml │ │ │ ├── CVE-2025-31161/ │ │ │ │ └── proc_creation_win_crushftp_susp_child_processes.yml │ │ │ ├── CVE-2025-31324/ │ │ │ │ ├── file_event_lnx_sap_netweaver_webshell_creation.yml │ │ │ │ ├── file_event_win_sap_netweaver_webshell_creation.yml │ │ │ │ ├── proc_creation_lnx_sap_netweaver_susp_child_process.yml │ │ │ │ ├── proc_creation_win_sap_netweaver_susp_child_process.yml │ │ │ │ ├── web_lnx_exploit_cve_2025_31324_sap_netviewer_webshell.yml │ │ │ │ └── web_lnx_exploit_cve_2025_31324_sap_netviewer_webshell_uploaded.yml │ │ │ ├── CVE-2025-32463/ │ │ │ │ └── file_event_lnx_exploit_cve_2025_32463.yml │ │ │ ├── CVE-2025-33053/ │ │ │ │ ├── image_load_win_exploit_cve_2025_33053.yml │ │ │ │ ├── proc_access_win_exploit_cve_2025_33053.yml │ │ │ │ └── proc_creation_win_exploit_cve_2025_33053.yml │ │ │ ├── CVE-2025-40551/ │ │ │ │ └── proc_creation_win_exploit_cve_2025_40551.yml │ │ │ ├── CVE-2025-4427/ │ │ │ │ └── web_invanti_epmm_cve_2025_4427_and_cve_2025_4428.yml │ │ │ ├── CVE-2025-49144/ │ │ │ │ └── proc_creation_win_exploit_cve_2025_49144.yml │ │ │ ├── CVE-2025-53770/ │ │ │ │ ├── file_event_win_exploit_cve_2025_53770.yml │ │ │ │ ├── proc_creation_win_exploit_cve_2025_53770_indicators.yml │ │ │ │ └── web_win_iis_exploit_cve_2025_53770.yml │ │ │ ├── CVE-2025-54309/ │ │ │ │ └── proc_creation_win_exploit_cve_2025_54309.yml │ │ │ ├── CVE-2025-55182/ │ │ │ │ ├── proc_creation_lnx_exploit_cve_2025_55182_susp_nodejs_server_child_process.yml │ │ │ │ └── proc_creation_win_exploit_cve_2025_55182_susp_nodejs_server_child_process.yml │ │ │ ├── CVE-2025-57788/ │ │ │ │ └── proc_creation_win_exploit_cve_2025_57788.yml │ │ │ ├── CVE-2025-57790/ │ │ │ │ └── proc_creation_win_exploit_cve_2025_57790.yml │ │ │ ├── CVE-2025-57791/ │ │ │ │ └── proc_creation_win_exploit_cve_2025_57791.yml │ │ │ └── CVE-2025-59287/ │ │ │ ├── proc_creation_win_exploit_cve_2025_59287.yml │ │ │ └── win_wsus_exploit_cve_2025_59287.yml │ │ └── Malware/ │ │ ├── Atomic-MacOS-Stealer/ │ │ │ ├── file_event_macos_malware_amos_persistence.yml │ │ │ └── proc_creation_macos_malware_amos_curl_post.yml │ │ ├── Grixba/ │ │ │ └── proc_creation_win_malware_grixba_recon.yml │ │ ├── Katz-Stealer/ │ │ │ ├── dns_query_win_katz_stealer_domain.yml │ │ │ ├── image_load_win_katz_stealer_payloads.yml │ │ │ ├── net_dns_katz_stealer_domain.yml │ │ │ └── zeek_http_katz_stealer_susp_useragent.yml │ │ ├── Shai-Hulud/ │ │ │ ├── file_event_lnx_mal_shai_hulud_workflow.yml │ │ │ ├── github_mal_shai_hulud_npm_attack.yml │ │ │ └── proc_creation_lnx_mal_shai_hululd_exfiltration.yml │ │ ├── file_event_win_malware_funklocker_ransomware_extension.yml │ │ └── proc_creation_win_malware_kalambur_curl_socks_tor.yml │ └── README.md ├── rules-placeholder/ │ ├── README.md │ ├── cloud/ │ │ ├── aws/ │ │ │ └── cloudtrail/ │ │ │ └── aws_cloudtrail_console_login_success_from_susp_locations.yml │ │ └── azure/ │ │ ├── audit_logs/ │ │ │ └── azure_ad_account_created_deleted_nonapproved_user.yml │ │ └── signin_logs/ │ │ ├── azure_ad_account_signin_outside_hours.yml │ │ ├── azure_privileged_account_no_saw_paw.yml │ │ ├── azure_privileged_account_sigin_expected_controls.yml │ │ └── azure_privileged_account_signin_outside_hours.yml │ └── windows/ │ ├── builtin/ │ │ └── security/ │ │ ├── win_security_admin_logon.yml │ │ ├── win_security_exploit_cve_2020_1472.yml │ │ ├── win_security_potential_pass_the_hash.yml │ │ ├── win_security_remote_registry_management_via_reg.yml │ │ └── win_security_susp_interactive_logons.yml │ ├── dns_query/ │ │ └── dns_query_win_wscript_cscript_resolution.yml │ ├── network_connection/ │ │ └── net_connection_win_susp_rdp_from_domain_controller.yml │ └── process_creation/ │ └── proc_creation_win_userdomain_variable_enumeration.yml ├── rules-threat-hunting/ │ ├── README.md │ ├── cloud/ │ │ ├── m365/ │ │ │ └── audit/ │ │ │ ├── microsoft365_susp_email_forwarding_activity.yml │ │ │ └── microsoft365_susp_inbox_rule_creation_or_update_activity.yml │ │ └── okta/ │ │ └── okta_password_health_report_query.yml │ ├── linux/ │ │ ├── file/ │ │ │ └── file_event/ │ │ │ ├── file_event_lnx_python_path_configuration_files.yml │ │ │ └── file_event_lnx_susp_long_filename_pattern.yml │ │ └── process_creation/ │ │ ├── proc_creation_lnx_susp_process_termination_via_kill.yml │ │ └── proc_creation_lnx_susp_running_process_discovery.yml │ ├── macos/ │ │ ├── file/ │ │ │ └── file_event/ │ │ │ └── file_event_macos_python_path_configuration_files.yml │ │ └── process_creation/ │ │ └── proc_creation_macos_pbpaste_execution.yml │ ├── network/ │ │ └── net_dns_low_reputation_etld.yml │ ├── web/ │ │ └── proxy_generic/ │ │ └── proxy_susp_class_extension_request.yml │ └── windows/ │ ├── builtin/ │ │ ├── appxdeployment_server/ │ │ │ └── win_appxpackaging_server_successful_package_installation.yml │ │ ├── firewall_as/ │ │ │ └── win_firewall_as_change_rule.yml │ │ └── security/ │ │ ├── account_management/ │ │ │ └── win_security_scrcons_remote_wmi_scripteventconsumer.yml │ │ ├── win_security_file_access_browser_credential.yml │ │ └── win_security_scheduled_task_deletion.yml │ ├── create_remote_thread/ │ │ ├── create_remote_thread_win_loadlibrary.yml │ │ ├── create_remote_thread_win_powershell_generic.yml │ │ └── create_remote_thread_win_susp_target_shell_application.yml │ ├── file/ │ │ ├── file_access/ │ │ │ ├── file_access_win_browsers_chromium_sensitive_files.yml │ │ │ ├── file_access_win_browsers_credential.yml │ │ │ ├── file_access_win_office_outlook_mail_credential.yml │ │ │ ├── file_access_win_susp_gpo_access_uncommon_process.yml │ │ │ ├── file_access_win_susp_reg_and_hive.yml │ │ │ └── file_access_win_susp_unattend_xml.yml │ │ ├── file_change/ │ │ │ └── file_change_win_date_changed_to_another_year.yml │ │ ├── file_delete/ │ │ │ └── file_delete_win_zone_identifier_ads.yml │ │ ├── file_event/ │ │ │ ├── file_event_win_dump_file_creation.yml │ │ │ ├── file_event_win_pfx_file_creation.yml │ │ │ ├── file_event_win_python_path_configuration_files.yml │ │ │ ├── file_event_win_scheduled_task_creation.yml │ │ │ ├── file_event_win_susp_binary_dropper.yml │ │ │ ├── file_event_win_vscode_tunnel_indicators.yml │ │ │ ├── file_event_win_wdac_policy_creation_in_codeintegrity_folder.yml │ │ │ └── file_event_win_webdav_tmpfile_creation.yml │ │ └── file_rename/ │ │ └── file_rename_win_non_dll_to_dll_ext.yml │ ├── image_load/ │ │ ├── image_load_dll_amsi_uncommon_process.yml │ │ ├── image_load_dll_bitsproxy_load_by_uncommon_process.yml │ │ ├── image_load_dll_dbghelp_dbgcore_susp_load.yml │ │ ├── image_load_dll_system_drawing_load.yml │ │ ├── image_load_dll_taskschd_by_process_in_potentially_suspicious_location.yml │ │ ├── image_load_office_excel_xll_load.yml │ │ ├── image_load_office_word_wll_load.yml │ │ ├── image_load_win_werfaultsecure_dbgcore_dbghelp_load.yml │ │ └── image_load_wmi_module_load_by_uncommon_process.yml │ ├── network_connection/ │ │ ├── net_connection_win_dfsvc_non_local_ip.yml │ │ ├── net_connection_win_dfsvc_uncommon_ports.yml │ │ ├── net_connection_win_dllhost_non_local_ip.yml │ │ ├── net_connection_win_hh_http_connection.yml │ │ ├── net_connection_win_msiexec_http.yml │ │ ├── net_connection_win_powershell_network_connection.yml │ │ ├── net_connection_win_susp_azurefd_connection.yml │ │ └── net_connection_win_susp_initaited_public_folder.yml │ ├── pipe_created/ │ │ └── pipe_created_sysinternals_psexec_default_pipe.yml │ ├── powershell/ │ │ ├── powershell_classic/ │ │ │ ├── posh_pc_alternate_powershell_hosts.yml │ │ │ └── posh_pc_bxor_operator_usage.yml │ │ ├── powershell_module/ │ │ │ └── posh_pm_susp_netfirewallrule_recon.yml │ │ └── powershell_script/ │ │ ├── posh_ps_compress_archive_usage.yml │ │ ├── posh_ps_email_forwarding_activity.yml │ │ ├── posh_ps_inbox_rule_creation_or_update_activity.yml │ │ ├── posh_ps_mailbox_access.yml │ │ ├── posh_ps_new_netfirewallrule_allow.yml │ │ ├── posh_ps_new_smbmapping_quic.yml │ │ ├── posh_ps_registry_reconnaissance.yml │ │ ├── posh_ps_remove_item_path.yml │ │ ├── posh_ps_send_mailmessage.yml │ │ ├── posh_ps_token_obfuscation.yml │ │ ├── posh_ps_win_api_functions_access.yml │ │ └── posh_ps_win_api_library_access.yml │ ├── process_access/ │ │ ├── proc_access_win_lsass_powershell_access.yml │ │ ├── proc_access_win_lsass_susp_source_process.yml │ │ ├── proc_access_win_lsass_uncommon_access_flag.yml │ │ └── proc_access_win_susp_potential_shellcode_injection.yml │ ├── process_creation/ │ │ ├── proc_creation_win_7zip_password_extraction.yml │ │ ├── proc_creation_win_attrib_system.yml │ │ ├── proc_creation_win_boinc_execution.yml │ │ ├── proc_creation_win_cmd_redirect.yml │ │ ├── proc_creation_win_cmd_set_prompt_abuse.yml │ │ ├── proc_creation_win_conhost_headless_execution.yml │ │ ├── proc_creation_win_csc_compilation.yml │ │ ├── proc_creation_win_curl_download.yml │ │ ├── proc_creation_win_curl_execution.yml │ │ ├── proc_creation_win_curl_fileupload.yml │ │ ├── proc_creation_win_curl_useragent.yml │ │ ├── proc_creation_win_dfsvc_child_processes.yml │ │ ├── proc_creation_win_diskshadow_child_process.yml │ │ ├── proc_creation_win_diskshadow_script_mode.yml │ │ ├── proc_creation_win_explorer_child_of_shell_process.yml │ │ ├── proc_creation_win_extexport_execution.yml │ │ ├── proc_creation_win_findstr_password_recon.yml │ │ ├── proc_creation_win_iexpress_execution.yml │ │ ├── proc_creation_win_microsoft_workflow_compiler_execution.yml │ │ ├── proc_creation_win_mode_codepage_change.yml │ │ ├── proc_creation_win_net_execution.yml │ │ ├── proc_creation_win_net_quic.yml │ │ ├── proc_creation_win_office_svchost_parent.yml │ │ ├── proc_creation_win_powershell_abnormal_commandline_size.yml │ │ ├── proc_creation_win_powershell_crypto_namespace.yml │ │ ├── proc_creation_win_powershell_import_module.yml │ │ ├── proc_creation_win_powershell_new_netfirewallrule_allow.yml │ │ ├── proc_creation_win_powershell_susp_child_processes.yml │ │ ├── proc_creation_win_regsvr32_dllregisterserver_exec.yml │ │ ├── proc_creation_win_remote_access_tools_action1_code_exec_and_remote_sessions.yml │ │ ├── proc_creation_win_remote_access_tools_ammyy_admin_execution.yml │ │ ├── proc_creation_win_remote_access_tools_anyviewer_shell_exec.yml │ │ ├── proc_creation_win_remote_access_tools_screenconnect_child_proc.yml │ │ ├── proc_creation_win_rundll32_by_ordinal.yml │ │ ├── proc_creation_win_rundll32_dllregisterserver.yml │ │ ├── proc_creation_win_sc_query.yml │ │ ├── proc_creation_win_schtasks_creation_from_susp_parent.yml │ │ ├── proc_creation_win_susp_cli_obfuscation_unicode.yml │ │ ├── proc_creation_win_susp_compression_params.yml │ │ ├── proc_creation_win_susp_elevated_system_shell.yml │ │ ├── proc_creation_win_susp_event_log_query.yml │ │ ├── proc_creation_win_susp_execution_from_guid_folder_names.yml │ │ ├── proc_creation_win_susp_execution_path_webserver.yml │ │ ├── proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml │ │ ├── proc_creation_win_susp_file_permission_modifications.yml │ │ ├── proc_creation_win_susp_ntfs_short_name_path_use_cli.yml │ │ ├── proc_creation_win_susp_open_html_file_from_download_folder.yml │ │ ├── proc_creation_win_susp_parent_execute_itself.yml │ │ ├── proc_creation_win_susp_script_exec_from_compressed_parent.yml │ │ ├── proc_creation_win_taskkill_execution.yml │ │ ├── proc_creation_win_tasklist_basic_execution.yml │ │ ├── proc_creation_win_webdav_process_execution.yml │ │ ├── proc_creation_win_winscp_command_open_ftp.yml │ │ ├── proc_creation_win_winscp_portable_execution.yml │ │ ├── proc_creation_win_wmic_recon_system_info.yml │ │ ├── proc_creation_win_wscript_cscript_script_exec.yml │ │ ├── proc_creation_win_wsl_arbitrary_command_execution.yml │ │ └── proc_creation_win_wusa_cab_files_extraction.yml │ └── registry/ │ ├── registry_event/ │ │ └── registry_event_scheduled_task_creation.yml │ └── registry_set/ │ ├── registry_set_office_trusted_location.yml │ ├── registry_set_powershell_crypto_namespace.yml │ ├── registry_set_runmru_command_execution.yml │ ├── registry_set_service_image_path_user_controlled_folder.yml │ └── registry_set_shell_context_menu_tampering.yml ├── tests/ │ ├── check-baseline-local.sh │ ├── deprecated_rules.py │ ├── logsource.json │ ├── promote_rules_status.py │ ├── reference-archiver.py │ ├── regression_tests_runner.py │ ├── rule-references.txt │ ├── sigma-package-release.py │ ├── sigma_cli_conf.yml │ ├── test_logsource.py │ ├── test_rules.py │ ├── thor.yml │ └── validate-sigma-schema/ │ ├── sigma-schema.json │ └── validate.py └── unsupported/ ├── README.md ├── cloud/ │ ├── aws_ec2_download_userdata.yml │ ├── aws_enum_backup.yml │ ├── aws_enum_listing.yml │ ├── aws_enum_network.yml │ ├── aws_enum_storage.yml │ ├── aws_lambda_function_created_or_invoked.yml │ ├── aws_macic_evasion.yml │ ├── aws_ses_messaging_enabled.yml │ └── azure_aad_secops_signin_failure_bad_password_threshold.yml ├── linux/ │ ├── lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml │ ├── lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml │ ├── lnx_auditd_cve_2021_4034.yml │ ├── lnx_auditd_debugfs_usage.yml │ ├── lnx_auditd_omigod_scx_runasprovider_executescript.yml │ ├── lnx_auth_susp_failed_logons_single_source.yml │ └── lnx_shell_priv_esc_prep.yml ├── network/ │ ├── net_dns_c2_detection.yml │ ├── net_dns_high_bytes_out.yml │ ├── net_dns_high_null_records_requests_rate.yml │ ├── net_dns_high_requests_rate.yml │ ├── net_dns_high_subdomain_rate.yml │ ├── net_dns_high_txt_records_requests_rate.yml │ ├── net_dns_large_domain_name.yml │ ├── net_firewall_high_dns_bytes_out.yml │ ├── net_firewall_high_dns_requests_rate.yml │ ├── net_firewall_susp_network_scan_by_ip.yml │ ├── net_firewall_susp_network_scan_by_port.yml │ └── net_possible_dns_rebinding.yml ├── other/ │ └── modsec_mulitple_blocks.yml ├── web/ │ └── web_multiple_susp_resp_codes_single_source.yml ├── windows/ │ ├── dns_query_win_possible_dns_rebinding.yml │ ├── driver_load_invoke_obfuscation_clip+_services.yml │ ├── driver_load_invoke_obfuscation_obfuscated_iex_services.yml │ ├── driver_load_invoke_obfuscation_stdin+_services.yml │ ├── driver_load_invoke_obfuscation_var+_services.yml │ ├── driver_load_invoke_obfuscation_via_compress_services.yml │ ├── driver_load_invoke_obfuscation_via_rundll_services.yml │ ├── driver_load_invoke_obfuscation_via_stdin_services.yml │ ├── driver_load_invoke_obfuscation_via_use_clip_services.yml │ ├── driver_load_invoke_obfuscation_via_use_mshta_services.yml │ ├── driver_load_invoke_obfuscation_via_use_rundll32_services.yml │ ├── driver_load_invoke_obfuscation_via_var++_services.yml │ ├── driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml │ ├── driver_load_tap_driver_installation.yml │ ├── file_event_executable_and_script_creation_by_office_using_file_ext.yml │ ├── image_load_mimikatz_inmemory_detection.yml │ ├── posh_ps_cl_invocation_lolscript_count.yml │ ├── posh_ps_cl_mutexverifiers_lolscript_count.yml │ ├── proc_creation_win_correlation_apt_silence_downloader_v3.yml │ ├── proc_creation_win_correlation_apt_turla_commands_medium.yml │ ├── proc_creation_win_correlation_dnscat2_powershell_implementation.yml │ ├── proc_creation_win_correlation_multiple_susp_cli.yml │ ├── proc_creation_win_correlation_susp_builtin_commands_recon.yml │ ├── sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml │ ├── sysmon_always_install_elevated_parent_child_correlated.yml │ ├── sysmon_non_priv_program_files_move.yml │ ├── sysmon_process_reimaging.yml │ ├── win_access_fake_files_with_stored_credentials.yml │ ├── win_apt_apt29_tor.yml │ ├── win_dumping_ntdsdit_via_dcsync.yml │ ├── win_dumping_ntdsdit_via_netsync.yml │ ├── win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml │ ├── win_mal_service_installs.yml │ ├── win_metasploit_or_impacket_smb_psexec_service_install.yml │ ├── win_possible_privilege_escalation_using_rotten_potato.yml │ ├── win_remote_schtask.yml │ ├── win_remote_service.yml │ ├── win_security_global_catalog_enumeration.yml │ ├── win_security_rare_schtasks_creations.yml │ ├── win_security_susp_failed_logons_explicit_credentials.yml │ ├── win_security_susp_failed_logons_single_process.yml │ ├── win_security_susp_failed_logons_single_source.yml │ ├── win_security_susp_failed_logons_single_source2.yml │ ├── win_security_susp_failed_logons_single_source_kerberos.yml │ ├── win_security_susp_failed_logons_single_source_kerberos2.yml │ ├── win_security_susp_failed_logons_single_source_kerberos3.yml │ ├── win_security_susp_failed_logons_single_source_ntlm.yml │ ├── win_security_susp_failed_logons_single_source_ntlm2.yml │ ├── win_security_susp_failed_remote_logons_single_source.yml │ ├── win_security_susp_multiple_files_renamed_or_deleted.yml │ ├── win_security_susp_samr_pwset.yml │ ├── win_susp_failed_hidden_share_mount.yml │ ├── win_suspicious_werfault_connection_outbound.yml │ ├── win_system_rare_service_installs.yml │ └── win_taskscheduler_rare_schtask_creation.yml └── zeek/ ├── zeek_dce_rpc_domain_user_enumeration.yml └── zeek_http_exfiltration_compressed_files.yml