gitextract_rqzb9198/

├── Persistence/
│   └── Registry Autoruns/
│       ├── Appinit Dlls
│       ├── Boot Execute
│       ├── Codecs
│       ├── Drivers
│       ├── Explorer
│       ├── Image Hijacks
│       ├── Internet Explorer
│       ├── KnownDlls
│       ├── LSA Providers
│       ├── Logon
│       ├── Network Providers
│       ├── Office
│       ├── Print Monitor
│       ├── Services
│       ├── WinLogon
│       └── WinSocket Providers
├── README.md
├── WindowsDefenderATP Hunting Queries /
│   ├── APT_IR_CNC_Possible RDP Tunnel
│   ├── APT_IR_CNC_rdp enable
│   ├── APT_IR_Execution_Echo
│   ├── APT_IR_Persistance_AccountCreation
│   ├── APT_IR_Persistance_LocalAccounts
│   ├── APT_IR_Persistance_LocalGroups
│   ├── APT_IR_Persistance_secedit
│   ├── Alert_Summary by AlertTitle
│   ├── Alert_Summary by Category
│   ├── Alert_Summary by ComputerName
│   ├── Alert_Summary by FIleName
│   ├── Alert_WDAVDetection
│   ├── Indication_ClearEventlog
│   ├── Indication_OutPut_Redirection
│   ├── Indication_RemoteShareMounting
│   ├── Indication_Tool_IMPACKET artifact
│   ├── Indication_Tool_ProcDump_possible
│   ├── Network_Cscript_Wscript
│   ├── Network_PowerShell
│   ├── Process_Bitsadmin Executions
│   ├── Process_Bitsadmin transfer
│   ├── Process_Certutil_decode in appdata
│   ├── Process_Possible_MSOffice_Abuse
│   ├── Process_Rundll32_Control_RunDLL
│   ├── Process_Rundll32_DllRegisterServer
│   ├── Process_Rundll32_Sus
│   ├── Process_Rundll32_possible hta remote
│   ├── Process_Rundll32_roaming
│   ├── Process_at.exe execution
│   ├── Process_wmic_process call
│   ├── Process_wscript_js execution
│   ├── Process_wscript_suspicious rar:zip
│   └── SHELL Detection/
│       ├── Persistence_Potential DLL WebShell_Suspicious IIS module detected
│       └── Process_Persistence_Potential WebShell Execution
└── _config.yml