sigma_rule.csv

appframework_django_exceptions.yml;False
java_jndi_injection_exploitation_attempt.yml;False
java_local_file_read.yml;False
java_ognl_injection_exploitation_attempt.yml;False
java_rce_exploitation_attempt.yml;False
java_xxe_exploitation_attempt.yml;False
kubernetes_audit_deployment_deleted.yml;False
kubernetes_audit_events_deleted.yml;False
kubernetes_audit_exec_into_container.yml;False
kubernetes_audit_hostpath_mount.yml;False
kubernetes_audit_pod_in_system_namespace.yml;False
kubernetes_audit_privileged_pod_creation.yml;False
kubernetes_audit_rbac_permisions_listing.yml;False
kubernetes_audit_secrets_enumeration.yml;False
kubernetes_audit_serviceaccount_creation.yml;False
kubernetes_audit_sidecar_injection.yml;False
nodejs_rce_exploitation_attempt.yml;False
opencanary_ftp_login_attempt.yml;False
opencanary_git_clone_request.yml;False
opencanary_httpproxy_login_attempt.yml;False
opencanary_http_get.yml;False
opencanary_http_post_login_attempt.yml;False
opencanary_mssql_login_sqlauth.yml;False
opencanary_mssql_login_winauth.yml;False
opencanary_mysql_login_attempt.yml;False
opencanary_ntp_monlist.yml;False
opencanary_redis_command.yml;False
opencanary_sip_request.yml;False
opencanary_smb_file_open.yml;False
opencanary_snmp_cmd.yml;False
opencanary_ssh_login_attempt.yml;False
opencanary_ssh_new_connection.yml;False
opencanary_telnet_login_attempt.yml;False
opencanary_tftp_request.yml;False
opencanary_vnc_connection_attempt.yml;False
app_python_sql_exceptions.yml;False
rpc_firewall_atsvc_lateral_movement.yml;False
rpc_firewall_atsvc_recon.yml;False
rpc_firewall_dcsync_attack.yml;False
rpc_firewall_efs_abuse.yml;False
rpc_firewall_eventlog_recon.yml;False
rpc_firewall_itaskschedulerservice_lateral_movement.yml;False
rpc_firewall_itaskschedulerservice_recon.yml;False
rpc_firewall_printing_lateral_movement.yml;False
rpc_firewall_remote_dcom_or_wmi.yml;False
rpc_firewall_remote_registry_lateral_movement.yml;False
rpc_firewall_remote_registry_recon.yml;False
rpc_firewall_remote_server_service_abuse.yml;False
rpc_firewall_remote_service_lateral_movement.yml;False
rpc_firewall_sasec_lateral_movement.yml;False
rpc_firewall_sasec_recon.yml;False
rpc_firewall_sharphound_recon_account.yml;False
rpc_firewall_sharphound_recon_sessions.yml;False
appframework_ruby_on_rails_exceptions.yml;False
spring_application_exceptions.yml;False
spring_spel_injection.yml;False
app_sqlinjection_errors.yml;False
velocity_ssti_injection.yml;False
av_exploiting.yml;False
av_hacktool.yml;False
av_password_dumper.yml;False
av_ransomware.yml;False
av_relevant_files.yml;False
av_webshell.yml;False
db_anomalous_query.yml;False
aws_attached_malicious_lambda_layer.yml;False
aws_cloudtrail_disable_logging.yml;False
aws_config_disable_recording.yml;False
aws_console_getsignintoken.yml;False
aws_delete_identity.yml;False
aws_disable_bucket_versioning.yml;False
aws_ec2_disable_encryption.yml;False
aws_ec2_startup_script_change.yml;False
aws_ec2_vm_export_failure.yml;False
aws_ecs_task_definition_cred_endpoint_query.yml;False
aws_efs_fileshare_modified_or_deleted.yml;False
aws_efs_fileshare_mount_modified_or_deleted.yml;False
aws_eks_cluster_created_or_deleted.yml;False
aws_elasticache_security_group_created.yml;False
aws_elasticache_security_group_modified_or_deleted.yml;False
aws_enum_buckets.yml;False
aws_guardduty_disruption.yml;False
aws_iam_backdoor_users_keys.yml;False
aws_iam_s3browser_loginprofile_creation.yml;False
aws_iam_s3browser_templated_s3_bucket_policy_creation.yml;False
aws_iam_s3browser_user_or_accesskey_creation.yml;False
aws_passed_role_to_glue_development_endpoint.yml;False
aws_rds_change_master_password.yml;False
aws_rds_public_db_restore.yml;False
aws_root_account_usage.yml;False
aws_route_53_domain_transferred_lock_disabled.yml;False
aws_route_53_domain_transferred_to_another_account.yml;False
aws_s3_data_management_tampering.yml;False
aws_securityhub_finding_evasion.yml;False
aws_snapshot_backup_exfiltration.yml;False
aws_sso_idp_change.yml;False
aws_sts_assumerole_misuse.yml;False
aws_sts_getsessiontoken_misuse.yml;False
aws_susp_saml_activity.yml;False
aws_update_login_profile.yml;False
azure_aadhybridhealth_adfs_new_server.yml;False
azure_aadhybridhealth_adfs_service_delete.yml;False
azure_ad_user_added_to_admin_role.yml;False
azure_application_deleted.yml;False
azure_application_gateway_modified_or_deleted.yml;False
azure_application_security_group_modified_or_deleted.yml;False
azure_app_credential_modification.yml;False
azure_container_registry_created_or_deleted.yml;False
azure_creating_number_of_resources_detection.yml;False
azure_device_no_longer_managed_or_compliant.yml;False
azure_device_or_configuration_modified_or_deleted.yml;False
azure_dns_zone_modified_or_deleted.yml;False
azure_firewall_modified_or_deleted.yml;False
azure_firewall_rule_collection_modified_or_deleted.yml;False
azure_granting_permission_detection.yml;False
azure_keyvault_key_modified_or_deleted.yml;False
azure_keyvault_modified_or_deleted.yml;False
azure_keyvault_secrets_modified_or_deleted.yml;False
azure_kubernetes_admission_controller.yml;False
azure_kubernetes_cluster_created_or_deleted.yml;False
azure_kubernetes_cronjob.yml;False
azure_kubernetes_events_deleted.yml;False
azure_kubernetes_network_policy_change.yml;False
azure_kubernetes_pods_deleted.yml;False
azure_kubernetes_rolebinding_modified_or_deleted.yml;False
azure_kubernetes_role_access.yml;False
azure_kubernetes_secret_or_config_object_access.yml;False
azure_kubernetes_service_account_modified_or_deleted.yml;False
azure_mfa_disabled.yml;False
azure_network_firewall_policy_modified_or_deleted.yml;False
azure_network_firewall_rule_modified_or_deleted.yml;False
azure_network_p2s_vpn_modified_or_deleted.yml;False
azure_network_security_modified_or_deleted.yml;False
azure_network_virtual_device_modified_or_deleted.yml;False
azure_new_cloudshell_created.yml;False
azure_owner_removed_from_application_or_service_principal.yml;False
azure_rare_operations.yml;False
azure_service_principal_created.yml;False
azure_service_principal_removed.yml;False
azure_subscription_permissions_elevation_via_activitylogs.yml;False
azure_suppression_rule_created.yml;False
azure_virtual_network_modified_or_deleted.yml;False
azure_vpn_connection_modified_or_deleted.yml;False
azure_aad_secops_ca_policy_removedby_bad_actor.yml;False
azure_aad_secops_ca_policy_updatedby_bad_actor.yml;False
azure_aad_secops_new_ca_policy_addedby_bad_actor.yml;False
azure_ad_account_created_deleted.yml;False
azure_ad_bitlocker_key_retrieval.yml;False
azure_ad_certificate_based_authencation_enabled.yml;False
azure_ad_device_registration_policy_changes.yml;False
azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml;False
azure_ad_new_root_ca_added.yml;False
azure_ad_users_added_to_device_admin_roles.yml;False
azure_app_appid_uri_changes.yml;False
azure_app_credential_added.yml;False
azure_app_delegated_permissions_all_users.yml;False
azure_app_end_user_consent.yml;False
azure_app_end_user_consent_blocked.yml;False
azure_app_owner_added.yml;False
azure_app_permissions_msft.yml;False
azure_app_privileged_permissions.yml;False
azure_app_role_added.yml;False
azure_app_uri_modifications.yml;False
azure_change_to_authentication_method.yml;False
azure_federation_modified.yml;False
azure_group_user_addition_ca_modification.yml;False
azure_group_user_removal_ca_modification.yml;False
azure_guest_invite_failure.yml;False
azure_guest_to_member.yml;False
azure_pim_activation_approve_deny.yml;False
azure_pim_alerts_disabled.yml;False
azure_pim_change_settings.yml;False
azure_priviledged_role_assignment_add.yml;False
azure_priviledged_role_assignment_bulk_change.yml;False
azure_privileged_account_creation.yml;False
azure_subscription_permissions_elevation_via_auditlogs.yml;False
azure_tap_added.yml;False
azure_user_password_change.yml;False
azure_identity_protection_anomalous_token.yml;False
azure_identity_protection_anomalous_user.yml;False
azure_identity_protection_anonymous_ip_activity.yml;False
azure_identity_protection_anonymous_ip_address.yml;False
azure_identity_protection_atypical_travel.yml;False
azure_identity_protection_impossible_travel.yml;False
azure_identity_protection_inbox_forwarding_rule.yml;False
azure_identity_protection_inbox_manipulation.yml;False
azure_identity_protection_leaked_credentials.yml;False
azure_identity_protection_malicious_ip_address.yml;False
azure_identity_protection_malicious_ip_address_suspicious.yml;False
azure_identity_protection_malware_linked_ip.yml;False
azure_identity_protection_new_coutry_region.yml;False
azure_identity_protection_password_spray.yml;False
azure_identity_protection_prt_access.yml;False
azure_identity_protection_suspicious_browser.yml;False
azure_identity_protection_threat_intel.yml;False
azure_identity_protection_token_issuer_anomaly.yml;False
azure_identity_protection_unfamilar_sign_in.yml;False
azure_pim_account_stale.yml;False
azure_pim_invalid_license.yml;False
azure_pim_role_assigned_outside_of_pim.yml;False
azure_pim_role_frequent_activation.yml;False
azure_pim_role_not_used.yml;False
azure_pim_role_no_mfa_required.yml;False
azure_pim_too_many_global_admins.yml;False
azure_account_lockout.yml;False
azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml;False
azure_ad_auth_failure_increase.yml;False
azure_ad_auth_sucess_increase.yml;False
azure_ad_auth_to_important_apps_using_single_factor_auth.yml;False
azure_ad_azurehound_discovery.yml;False
azure_ad_device_registration_or_join_without_mfa.yml;False
azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml;False
azure_ad_only_single_factor_auth_required.yml;False
azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml;False
azure_ad_sign_ins_from_noncompliant_devices.yml;False
azure_ad_sign_ins_from_unknown_devices.yml;False
azure_ad_suspicious_signin_bypassing_mfa.yml;False
azure_app_device_code_authentication.yml;False
azure_app_ropc_authentication.yml;False
azure_blocked_account_attempt.yml;False
azure_conditional_access_failure.yml;False
azure_legacy_authentication_protocols.yml;False
azure_login_to_disabled_account.yml;False
azure_mfa_denies.yml;False
azure_mfa_interrupted.yml;False
azure_unusual_authentication_interruption.yml;False
azure_users_authenticating_to_other_azure_ad_tenants.yml;False
azure_user_login_blocked_by_conditional_access.yml;False
bitbucket_audit_full_data_export_triggered.yml;False
bitbucket_audit_global_permissions_change_detected.yml;False
bitbucket_audit_global_secret_scanning_rule_deleted.yml;False
bitbucket_audit_global_ssh_settings_change_detected.yml;False
bitbucket_audit_log_configuration_update_detected.yml;False
bitbucket_audit_project_secret_scanning_allowlist_added.yml;False
bitbucket_audit_secret_scanning_exempt_repository_detected.yml;False
bitbucket_audit_secret_scanning_rule_deleted.yml;False
bitbucket_audit_unauthorized_access_detected.yml;False
bitbucket_audit_unauthorized_full_data_export_triggered.yml;False
bitbucket_audit_user_details_export_attempt_detected.yml;False
bitbucket_audit_user_login_failure_detected.yml;False
bitbucket_audit_user_login_failure_via_ssh_detected.yml;False
bitbucket_audit_user_permissions_export_attempt_detected.yml;False
cisco_duo_mfa_bypass_via_bypass_code.yml;False
gcp_access_policy_deleted.yml;False
gcp_breakglass_container_workload_deployed.yml;False
gcp_bucket_enumeration.yml;False
gcp_bucket_modified_or_deleted.yml;False
gcp_dlp_re_identifies_sensitive_information.yml;False
gcp_dns_zone_modified_or_deleted.yml;False
gcp_firewall_rule_modified_or_deleted.yml;False
gcp_full_network_traffic_packet_capture.yml;False
gcp_kubernetes_admission_controller.yml;False
gcp_kubernetes_cronjob.yml;False
gcp_kubernetes_rolebinding.yml;False
gcp_kubernetes_secrets_modified_or_deleted.yml;False
gcp_service_account_disabled_or_deleted.yml;False
gcp_service_account_modified.yml;False
gcp_sql_database_modified_or_deleted.yml;False
gcp_vpn_tunnel_modified_or_deleted.yml;False
gcp_gworkspace_application_access_levels_modified.yml;False
gcp_gworkspace_application_removed.yml;False
gcp_gworkspace_granted_domain_api_access.yml;False
gcp_gworkspace_mfa_disabled.yml;False
gcp_gworkspace_role_modified_or_deleted.yml;False
gcp_gworkspace_role_privilege_deleted.yml;False
gcp_gworkspace_user_granted_admin_privileges.yml;False
github_delete_action_invoked.yml;False
github_disabled_outdated_dependency_or_vulnerability.yml;False
github_disable_high_risk_configuration.yml;False
github_new_org_member.yml;False
github_new_secret_created.yml;False
github_outside_collaborator_detected.yml;False
github_push_protection_bypass_detected.yml;False
github_push_protection_disabled.yml;False
github_secret_scanning_feature_disabled.yml;False
github_self_hosted_runner_changes_detected.yml;False
microsoft365_disabling_mfa.yml;False
microsoft365_new_federated_domain_added_audit.yml;False
microsoft365_new_federated_domain_added_exchange.yml;False
microsoft365_from_susp_ip_addresses.yml;False
microsoft365_activity_by_terminated_user.yml;False
microsoft365_activity_from_anonymous_ip_addresses.yml;False
microsoft365_activity_from_infrequent_country.yml;False
microsoft365_data_exfiltration_to_unsanctioned_app.yml;False
microsoft365_impossible_travel_activity.yml;False
microsoft365_logon_from_risky_ip_address.yml;False
microsoft365_potential_ransomware_activity.yml;False
microsoft365_pst_export_alert.yml;False
microsoft365_pst_export_alert_using_new_compliancesearchaction.yml;False
microsoft365_susp_inbox_forwarding.yml;False
microsoft365_susp_oauth_app_file_download_activities.yml;False
microsoft365_unusual_volume_of_file_deletion.yml;False
microsoft365_user_restricted_from_sending_email.yml;False
okta_admin_activity_from_proxy_query.yml;False
okta_admin_role_assigned_to_user_or_group.yml;False
okta_admin_role_assignment_created.yml;False
okta_api_token_created.yml;False
okta_api_token_revoked.yml;False
okta_application_modified_or_deleted.yml;False
okta_application_sign_on_policy_modified_or_deleted.yml;False
okta_fastpass_phishing_detection.yml;False
okta_identity_provider_created.yml;False
okta_mfa_reset_or_deactivated.yml;False
okta_network_zone_deactivated_or_deleted.yml;False
okta_new_behaviours_admin_console.yml;False
okta_password_in_alternateid_field.yml;False
okta_policy_modified_or_deleted.yml;False
okta_policy_rule_modified_or_deleted.yml;False
okta_security_threat_detected.yml;False
okta_suspicious_activity_enduser_report.yml;False
okta_unauthorized_access_to_app.yml;False
okta_user_account_locked_out.yml;False
okta_user_created.yml;False
okta_user_session_start_via_anonymised_proxy.yml;False
onelogin_assumed_another_user.yml;False
onelogin_user_account_locked.yml;False
default_credentials_usage.yml;False
host_without_firewall.yml;False
netflow_cleartext_protocols.yml;False
lnx_auditd_audio_capture.yml;False
lnx_auditd_auditing_config_change.yml;False
lnx_auditd_binary_padding.yml;False
lnx_auditd_bpfdoor_file_accessed.yml;False
lnx_auditd_bpfdoor_port_redirect.yml;False
lnx_auditd_capabilities_discovery.yml;False
lnx_auditd_change_file_time_attr.yml;False
lnx_auditd_chattr_immutable_removal.yml;False
lnx_auditd_clipboard_collection.yml;False
lnx_auditd_clipboard_image_collection.yml;False
lnx_auditd_coinminer.yml;False
lnx_auditd_create_account.yml;False
lnx_auditd_data_compressed.yml;False
lnx_auditd_data_exfil_wget.yml;False
lnx_auditd_dd_delete_file.yml;False
lnx_auditd_disable_system_firewall.yml;False
lnx_auditd_file_or_folder_permissions.yml;False
lnx_auditd_find_cred_in_files.yml;False
lnx_auditd_hidden_binary_execution.yml;False
lnx_auditd_hidden_files_directories.yml;False
lnx_auditd_hidden_zip_files_steganography.yml;False
lnx_auditd_keylogging_with_pam_d.yml;False
lnx_auditd_ld_so_preload_mod.yml;False
lnx_auditd_load_module_insmod.yml;False
lnx_auditd_logging_config_change.yml;False
lnx_auditd_masquerading_crond.yml;False
lnx_auditd_modify_system_firewall.yml;False
lnx_auditd_network_service_scanning.yml;False
lnx_auditd_network_sniffing.yml;False
lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml;False
lnx_auditd_password_policy_discovery.yml;False
lnx_auditd_pers_systemd_reload.yml;False
lnx_auditd_screencapture_import.yml;False
lnx_auditd_screencaputre_xwd.yml;False
lnx_auditd_split_file_into_pieces.yml;False
lnx_auditd_steghide_embed_steganography.yml;False
lnx_auditd_steghide_extract_steganography.yml;False
lnx_auditd_susp_c2_commands.yml;False
lnx_auditd_susp_cmds.yml;False
lnx_auditd_susp_exe_folders.yml;False
lnx_auditd_susp_histfile_operations.yml;False
lnx_auditd_systemd_service_creation.yml;False
lnx_auditd_system_info_discovery.yml;False
lnx_auditd_system_info_discovery2.yml;False
lnx_auditd_system_shutdown_reboot.yml;False
lnx_auditd_unix_shell_configuration_modification.yml;False
lnx_auditd_unzip_hidden_zip_files_steganography.yml;False
lnx_auditd_user_discovery.yml;False
lnx_auditd_web_rce.yml;False
lnx_apt_equationgroup_lnx.yml;False
lnx_buffer_overflows.yml;False
lnx_clear_syslog.yml;False
lnx_file_copy.yml;False
lnx_ldso_preload_injection.yml;False
lnx_nimbuspwn_privilege_escalation_exploit.yml;False
lnx_potential_susp_ebpf_activity.yml;False
lnx_privileged_user_creation.yml;False
lnx_shellshock.yml;False
lnx_shell_clear_cmd_history.yml;False
lnx_shell_susp_commands.yml;False
lnx_shell_susp_log_entries.yml;False
lnx_shell_susp_rev_shells.yml;False
lnx_space_after_filename_.yml;False
lnx_susp_dev_tcp.yml;False
lnx_susp_jexboss.yml;False
lnx_symlink_etc_passwd.yml;False
lnx_auth_pwnkit_local_privilege_escalation.yml;False
lnx_clamav_relevant_message.yml;False
lnx_cron_crontab_file_modification.yml;False
lnx_guacamole_susp_guacamole.yml;False
lnx_sshd_ssh_cve_2018_15473.yml;False
lnx_sshd_susp_ssh.yml;False
lnx_sudo_cve_2019_14287_user.yml;False
lnx_syslog_security_tools_disabling_syslog.yml;False
lnx_syslog_susp_named.yml;False
lnx_vsftpd_susp_error_messages.yml;False
file_event_lnx_doas_conf_creation.yml;False
file_event_lnx_persistence_cron_files.yml;False
file_event_lnx_persistence_sudoers_files.yml;False
file_event_lnx_susp_shell_script_under_profile_directory.yml;False
file_event_lnx_triple_cross_rootkit_lock_file.yml;False
file_event_lnx_triple_cross_rootkit_persistence.yml;False
file_event_lnx_wget_download_file_in_tmp_dir.yml;False
net_connection_lnx_back_connect_shell_dev.yml;False
net_connection_lnx_crypto_mining_indicators.yml;False
net_connection_lnx_ngrok_tunnel.yml;False
net_connection_lnx_susp_malware_callback_port.yml;False
proc_creation_lnx_at_command.yml;False
proc_creation_lnx_base64_decode.yml;False
proc_creation_lnx_base64_execution.yml;False
proc_creation_lnx_base64_shebang_cli.yml;False
proc_creation_lnx_bash_interactive_shell.yml;False
proc_creation_lnx_bpftrace_unsafe_option_usage.yml;False
proc_creation_lnx_bpf_kprob_tracing_enabled.yml;False
proc_creation_lnx_capa_discovery.yml;False
proc_creation_lnx_cat_sudoers.yml;False
proc_creation_lnx_chattr_immutable_removal.yml;False
proc_creation_lnx_clear_logs.yml;False
proc_creation_lnx_clear_syslog.yml;False
proc_creation_lnx_clipboard_collection.yml;False
proc_creation_lnx_cp_passwd_or_shadow_tmp.yml;False
proc_creation_lnx_crontab_enumeration.yml;False
proc_creation_lnx_crontab_removal.yml;False
proc_creation_lnx_crypto_mining.yml;False
proc_creation_lnx_curl_usage.yml;False
proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml;False
proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml;False
proc_creation_lnx_dd_file_overwrite.yml;False
proc_creation_lnx_dd_process_injection.yml;False
proc_creation_lnx_disable_ufw.yml;False
proc_creation_lnx_doas_execution.yml;False
proc_creation_lnx_esxcli_network_discovery.yml;False
proc_creation_lnx_esxcli_permission_change_admin.yml;False
proc_creation_lnx_esxcli_storage_discovery.yml;False
proc_creation_lnx_esxcli_syslog_config_change.yml;False
proc_creation_lnx_esxcli_system_discovery.yml;False
proc_creation_lnx_esxcli_user_account_creation.yml;False
proc_creation_lnx_esxcli_vm_discovery.yml;False
proc_creation_lnx_esxcli_vm_kill.yml;False
proc_creation_lnx_esxcli_vsan_discovery.yml;False
proc_creation_lnx_file_and_directory_discovery.yml;False
proc_creation_lnx_file_deletion.yml;False
proc_creation_lnx_grep_os_arch_discovery.yml;False
proc_creation_lnx_groupdel.yml;False
proc_creation_lnx_gtfobin_apt.yml;False
proc_creation_lnx_gtfobin_vim.yml;False
proc_creation_lnx_install_root_certificate.yml;False
proc_creation_lnx_install_suspicioua_packages.yml;False
proc_creation_lnx_iptables_flush_ufw.yml;False
proc_creation_lnx_kill_process.yml;False
proc_creation_lnx_local_account.yml;False
proc_creation_lnx_local_groups.yml;False
proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml;False
proc_creation_lnx_mkfifo_named_pipe_creation.yml;False
proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml;False
proc_creation_lnx_mount_hidepid.yml;False
proc_creation_lnx_netcat_reverse_shell.yml;False
proc_creation_lnx_nohup.yml;False
proc_creation_lnx_nohup_susp_execution.yml;False
proc_creation_lnx_omigod_scx_runasprovider_executescript.yml;False
proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml;False
proc_creation_lnx_perl_reverse_shell.yml;False
proc_creation_lnx_php_reverse_shell.yml;False
proc_creation_lnx_pnscan_binary_cli_pattern.yml;False
proc_creation_lnx_process_discovery.yml;False
proc_creation_lnx_proxy_connection.yml;False
proc_creation_lnx_python_pty_spawn.yml;False
proc_creation_lnx_python_reverse_shell.yml;False
proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml;False
proc_creation_lnx_remote_system_discovery.yml;False
proc_creation_lnx_remove_package.yml;False
proc_creation_lnx_ruby_reverse_shell.yml;False
proc_creation_lnx_schedule_task_job_cron.yml;False
proc_creation_lnx_security_software_discovery.yml;False
proc_creation_lnx_security_tools_disabling.yml;False
proc_creation_lnx_services_stop_and_disable.yml;False
proc_creation_lnx_setgid_setuid.yml;False
proc_creation_lnx_ssm_agent_abuse.yml;False
proc_creation_lnx_sudo_cve_2019_14287.yml;False
proc_creation_lnx_susp_chmod_directories.yml;False
proc_creation_lnx_susp_container_residence_discovery.yml;False
proc_creation_lnx_susp_curl_fileupload.yml;False
proc_creation_lnx_susp_curl_useragent.yml;False
proc_creation_lnx_susp_dockerenv_recon.yml;False
proc_creation_lnx_susp_execution_tmp_folder.yml;False
proc_creation_lnx_susp_find_execution.yml;False
proc_creation_lnx_susp_git_clone.yml;False
proc_creation_lnx_susp_history_delete.yml;False
proc_creation_lnx_susp_history_recon.yml;False
proc_creation_lnx_susp_hktl_execution.yml;False
proc_creation_lnx_susp_inod_listing.yml;False
proc_creation_lnx_susp_interactive_bash.yml;False
proc_creation_lnx_susp_java_children.yml;False
proc_creation_lnx_susp_network_utilities_execution.yml;False
proc_creation_lnx_susp_pipe_shell.yml;False
proc_creation_lnx_susp_recon_indicators.yml;False
proc_creation_lnx_susp_sensitive_file_access.yml;False
proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml;False
proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml;False
proc_creation_lnx_system_info_discovery.yml;False
proc_creation_lnx_system_network_connections_discovery.yml;False
proc_creation_lnx_system_network_discovery.yml;False
proc_creation_lnx_touch_susp.yml;False
proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml;False
proc_creation_lnx_triple_cross_rootkit_install.yml;False
proc_creation_lnx_userdel.yml;False
proc_creation_lnx_usermod_susp_group.yml;False
proc_creation_lnx_webshell_detection.yml;False
proc_creation_lnx_wget_download_suspicious_directory.yml;False
proc_creation_lnx_xterm_reverse_shell.yml;False
file_event_macos_emond_launch_daemon.yml;False
file_event_macos_startup_items.yml;False
proc_creation_macos_applescript.yml;False
proc_creation_macos_base64_decode.yml;False
proc_creation_macos_binary_padding.yml;False
proc_creation_macos_change_file_time_attr.yml;False
proc_creation_macos_clear_system_logs.yml;False
proc_creation_macos_clipboard_data_via_osascript.yml;False
proc_creation_macos_create_account.yml;False
proc_creation_macos_create_hidden_account.yml;False
proc_creation_macos_creds_from_keychain.yml;False
proc_creation_macos_csrutil_disable.yml;False
proc_creation_macos_csrutil_status.yml;False
proc_creation_macos_disable_security_tools.yml;False
proc_creation_macos_dscl_add_user_to_admin_group.yml;False
proc_creation_macos_dseditgroup_add_to_admin_group.yml;False
proc_creation_macos_dsenableroot_enable_root_account.yml;False
proc_creation_macos_file_and_directory_discovery.yml;False
proc_creation_macos_find_cred_in_files.yml;False
proc_creation_macos_gui_input_capture.yml;False
proc_creation_macos_installer_susp_child_process.yml;False
proc_creation_macos_ioreg_discovery.yml;False
proc_creation_macos_jamf_susp_child.yml;False
proc_creation_macos_jamf_usage.yml;False
proc_creation_macos_jxa_in_memory_execution.yml;False
proc_creation_macos_launchctl_execution.yml;False
proc_creation_macos_local_account.yml;False
proc_creation_macos_local_groups.yml;False
proc_creation_macos_network_service_scanning.yml;False
proc_creation_macos_network_sniffing.yml;False
proc_creation_macos_office_susp_child_processes.yml;False
proc_creation_macos_osacompile_runonly_execution.yml;False
proc_creation_macos_payload_decoded_and_decrypted.yml;False
proc_creation_macos_persistence_via_plistbuddy.yml;False
proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml;False
proc_creation_macos_remote_system_discovery.yml;False
proc_creation_macos_schedule_task_job_cron.yml;False
proc_creation_macos_screencapture.yml;False
proc_creation_macos_security_software_discovery.yml;False
proc_creation_macos_space_after_filename.yml;False
proc_creation_macos_split_file_into_pieces.yml;False
proc_creation_macos_suspicious_applet_behaviour.yml;False
proc_creation_macos_susp_browser_child_process.yml;False
proc_creation_macos_susp_execution_macos_script_editor.yml;False
proc_creation_macos_susp_find_execution.yml;False
proc_creation_macos_susp_histfile_operations.yml;False
proc_creation_macos_susp_in_memory_download_and_compile.yml;False
proc_creation_macos_susp_macos_firmware_activity.yml;False
proc_creation_macos_swvers_discovery.yml;False
proc_creation_macos_sysadminctl_add_user_to_admin_group.yml;False
proc_creation_macos_sysadminctl_enable_guest_account.yml;False
proc_creation_macos_system_network_connections_discovery.yml;False
proc_creation_macos_system_network_discovery.yml;False
proc_creation_macos_system_profiler_discovery.yml;False
proc_creation_macos_system_shutdown_reboot.yml;False
proc_creation_macos_tail_base64_decode_from_image.yml;False
proc_creation_macos_wizardupdate_malware_infection.yml;False
proc_creation_macos_xattr_gatekeeper_bypass.yml;False
proc_creation_macos_xcsset_malware_infection.yml;False
cisco_cli_clear_logs.yml;False
cisco_cli_collect_data.yml;False
cisco_cli_crypto_actions.yml;False
cisco_cli_disable_logging.yml;False
cisco_cli_discovery.yml;False
cisco_cli_dos.yml;False
cisco_cli_file_deletion.yml;False
cisco_cli_input_capture.yml;False
cisco_cli_local_accounts.yml;False
cisco_cli_modify_config.yml;False
cisco_cli_moving_data.yml;False
cisco_cli_net_sniff.yml;False
cisco_bgp_md5_auth_failed.yml;False
cisco_ldp_md5_auth_failed.yml;False
net_dns_external_service_interaction_domains.yml;False
net_dns_mal_cobaltstrike.yml;False
net_dns_pua_cryptocoin_mining_xmr.yml;False
net_dns_susp_b64_queries.yml;False
net_dns_susp_telegram_api.yml;False
net_dns_susp_txt_exec_strings.yml;False
net_dns_wannacry_killswitch_domain.yml;False
net_firewall_cleartext_protocols.yml;False
huawei_bgp_auth_failed.yml;False
juniper_bgp_missing_md5.yml;False
zeek_dce_rpc_mitre_bzar_execution.yml;False
zeek_dce_rpc_mitre_bzar_persistence.yml;False
zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml;False
zeek_dce_rpc_printnightmare_print_driver_install.yml;False
zeek_dce_rpc_smb_spoolss_named_pipe.yml;False
zeek_default_cobalt_strike_certificate.yml;False
zeek_dns_mining_pools.yml;False
zeek_dns_nkn.yml;False
zeek_dns_susp_zbit_flag.yml;False
zeek_dns_torproxy.yml;False
zeek_http_executable_download_from_webdav.yml;False
zeek_http_omigod_no_auth_rce.yml;False
zeek_http_webdav_put_request.yml;False
zeek_rdp_public_listener.yml;False
zeek_smb_converted_win_atsvc_task.yml;False
zeek_smb_converted_win_impacket_secretdump.yml;False
zeek_smb_converted_win_lm_namedpipe.yml;False
zeek_smb_converted_win_susp_psexec.yml;False
zeek_smb_converted_win_susp_raccess_sensitive_fext.yml;False
zeek_smb_converted_win_transferring_files_with_credential_data.yml;False
zeek_susp_kerberos_rc4.yml;False
web_apache_segfault.yml;False
web_apache_threading_error.yml;False
web_nginx_core_dump.yml;False
proxy_downloadcradle_webdav.yml;False
proxy_download_susp_dyndns.yml;False
proxy_download_susp_tlds_blacklist.yml;False
proxy_download_susp_tlds_whitelist.yml;False
proxy_f5_tm_utility_bash_api_request.yml;False
proxy_hktl_baby_shark_default_agent_url.yml;False
proxy_hktl_cobalt_strike_malleable_c2_requests.yml;False
proxy_hktl_empire_ua_uri_patterns.yml;False
proxy_pua_advanced_ip_scanner_update_check.yml;False
proxy_pwndrop.yml;False
proxy_raw_paste_service_access.yml;False
proxy_susp_flash_download_loc.yml;False
proxy_susp_ipfs_cred_harvest.yml;False
proxy_telegram_api.yml;False
proxy_ua_apt.yml;False
proxy_ua_base64_encoded.yml;False
proxy_ua_bitsadmin_susp_ip.yml;False
proxy_ua_bitsadmin_susp_tld.yml;False
proxy_ua_cryptominer.yml;False
proxy_ua_empty.yml;False
proxy_ua_frameworks.yml;False
proxy_ua_hacktool.yml;False
proxy_ua_malware.yml;False
proxy_ua_powershell.yml;False
proxy_ua_rclone.yml;False
proxy_ua_susp.yml;False
proxy_ua_susp_base64.yml;False
proxy_webdav_external_execution.yml;False
web_f5_tm_utility_bash_api_request.yml;False
web_iis_tilt_shortname_scan.yml;False
web_java_payload_in_access_logs.yml;False
web_jndi_exploit.yml;False
web_path_traversal_exploitation_attempt.yml;False
web_source_code_enumeration.yml;False
web_sql_injection_in_access_logs.yml;False
web_ssti_in_access_logs.yml;False
web_susp_useragents.yml;False
web_susp_windows_path_uri.yml;False
web_webshell_regeorg.yml;False
web_win_webshells_in_access_logs.yml;False
web_xss_in_access_logs.yml;False
win_alert_mimikatz_keywords.yml;True
win_application_msmpeng_crash_error.yml;False
win_werfault_susp_lsass_credential_dump.yml;False
win_esent_ntdsutil_abuse.yml;False
win_esent_ntdsutil_abuse_susp_location.yml;False
win_audit_cve.yml;False
win_susp_backup_delete.yml;False
win_software_restriction_policies_block.yml;False
win_builtin_remove_application.yml;True
win_msi_install_from_susp_locations.yml;False
win_msi_install_from_web.yml;False
win_software_atera_rmm_agent_install.yml;False
win_mssql_add_sysadmin_account.yml;False
win_mssql_disable_audit_settings.yml;False
win_mssql_failed_logon.yml;False
win_mssql_failed_logon_from_external_network.yml;False
win_mssql_sp_procoption_set.yml;False
win_mssql_xp_cmdshell_audit_log.yml;False
win_mssql_xp_cmdshell_change.yml;False
win_av_relevant_match.yml;True
win_app_remote_access_tools_screenconnect_command_exec.yml;False
win_app_remote_access_tools_screenconnect_file_transfer.yml;False
win_application_msmpeng_crash_wer.yml;False
win_applocker_file_was_not_allowed_to_run.yml;False
win_appmodel_runtime_sysinternals_tools_appx_execution.yml;False
win_appxdeployment_server_applocker_block.yml;False
win_appxdeployment_server_mal_appx_names.yml;False
win_appxdeployment_server_policy_block.yml;False
win_appxdeployment_server_susp_appx_package_installation.yml;False
win_appxdeployment_server_susp_domains.yml;False
win_appxdeployment_server_susp_package_locations.yml;False
win_appxdeployment_server_uncommon_package_locations.yml;False
win_appxpackaging_om_sups_appx_signature.yml;False
win_bits_client_new_job_via_bitsadmin.yml;False
win_bits_client_new_job_via_powershell.yml;False
win_bits_client_new_transfer_saving_susp_extensions.yml;False
win_bits_client_new_transfer_via_file_sharing_domains.yml;False
win_bits_client_new_transfer_via_ip_address.yml;False
win_bits_client_new_transfer_via_uncommon_tld.yml;False
win_bits_client_new_trasnfer_susp_local_folder.yml;False
win_capi2_acquire_certificate_private_key.yml;False
win_certificateservicesclient_lifecycle_system_cert_exported.yml;False
win_codeintegrity_attempted_dll_load.yml;False
win_codeintegrity_blocked_protected_process_file.yml;False
win_codeintegrity_enforced_policy_block.yml;False
win_codeintegrity_revoked_driver_blocked.yml;False
win_codeintegrity_revoked_driver_loaded.yml;False
win_codeintegrity_revoked_image_blocked.yml;False
win_codeintegrity_revoked_image_loaded.yml;False
win_codeintegrity_unsigned_driver_loaded.yml;False
win_codeintegrity_unsigned_image_loaded.yml;False
win_codeintegrity_whql_failure.yml;False
win_diagnosis_scripted_load_remote_diagcab.yml;False
win_dns_client_anonymfiles_com.yml;False
win_dns_client_mega_nz.yml;False
win_dns_client_tor_onion.yml;False
win_dns_client_ufile_io.yml;False
win_dns_client__mal_cobaltstrike.yml;False
win_dns_server_failed_dns_zone_transfer.yml;False
win_dns_server_susp_server_level_plugin_dll.yml;False
win_usb_device_plugged.yml;False
win_firewall_as_add_rule.yml;True
win_firewall_as_add_rule_susp_folder.yml;False
win_firewall_as_add_rule_wmiprvse.yml;True
win_firewall_as_delete_all_rules.yml;False
win_firewall_as_delete_rule.yml;False
win_firewall_as_failed_load_gpo.yml;False
win_firewall_as_reset_config.yml;False
win_firewall_as_setting_change.yml;False
win_ldap_recon.yml;True
win_lsa_server_normal_user_admin.yml;False
win_exchange_proxylogon_oabvirtualdir.yml;False
win_exchange_proxyshell_certificate_generation.yml;False
win_exchange_proxyshell_mailbox_export.yml;False
win_exchange_proxyshell_remove_mailbox_export.yml;False
win_exchange_set_oabvirtualdirectory_externalurl.yml;False
win_exchange_transportagent.yml;False
win_exchange_transportagent_failed.yml;False
win_susp_ntlm_auth.yml;False
win_susp_ntlm_brute_force.yml;False
win_susp_ntlm_rdp.yml;False
win_sshd_openssh_server_listening_on_socket.yml;False
win_security_aadhealth_mon_agent_regkey_access.yml;False
win_security_aadhealth_svc_agent_regkey_access.yml;False
win_security_account_backdoor_dcsync_rights.yml;False
win_security_account_discovery.yml;False
win_security_adcs_certificate_template_configuration_vulnerability.yml;False
win_security_adcs_certificate_template_configuration_vulnerability_eku.yml;False
win_security_add_remove_computer.yml;False
win_security_admin_share_access.yml;False
win_security_ad_object_writedac_access.yml;False
win_security_ad_replication_non_machine_account.yml;False
win_security_ad_user_enumeration.yml;False
win_security_alert_active_directory_user_control.yml;False
win_security_alert_ad_user_backdoors.yml;False
win_security_alert_enable_weak_encryption.yml;False
win_security_alert_ruler.yml;False
win_security_atsvc_task.yml;False
win_security_audit_log_cleared.yml;True
win_security_camera_microphone_access.yml;False
win_security_cobaltstrike_service_installs.yml;False
win_security_codeintegrity_check_failure.yml;False
win_security_dce_rpc_smb_spoolss_named_pipe.yml;False
win_security_dcom_iertutil_dll_hijack.yml;False
win_security_dcsync.yml;False
win_security_device_installation_blocked.yml;False
win_security_disable_event_auditing.yml;True
win_security_disable_event_auditing_critical.yml;False
win_security_dot_net_etw_tamper.yml;False
win_security_dpapi_domain_backupkey_extraction.yml;False
win_security_dpapi_domain_masterkey_backup_attempt.yml;False
win_security_external_device.yml;False
win_security_gpo_scheduledtasks.yml;False
win_security_hidden_user_creation.yml;False
win_security_hktl_edr_silencer.yml;False
win_security_hktl_nofilter.yml;False
win_security_hybridconnectionmgr_svc_installation.yml;False
win_security_impacket_psexec.yml;False
win_security_impacket_secretdump.yml;False
win_security_invoke_obfuscation_clip_services_security.yml;False
win_security_invoke_obfuscation_obfuscated_iex_services_security.yml;False
win_security_invoke_obfuscation_stdin_services_security.yml;False
win_security_invoke_obfuscation_var_services_security.yml;False
win_security_invoke_obfuscation_via_compress_services_security.yml;False
win_security_invoke_obfuscation_via_rundll_services_security.yml;False
win_security_invoke_obfuscation_via_stdin_services_security.yml;False
win_security_invoke_obfuscation_via_use_clip_services_security.yml;False
win_security_invoke_obfuscation_via_use_mshta_services_security.yml;False
win_security_invoke_obfuscation_via_use_rundll32_services_security.yml;False
win_security_invoke_obfuscation_via_var_services_security.yml;False
win_security_iso_mount.yml;True
win_security_lm_namedpipe.yml;False
win_security_lsass_access_non_system_account.yml;False
win_security_mal_creddumper.yml;False
win_security_mal_wceaux_dll.yml;False
win_security_metasploit_authentication.yml;False
win_security_metasploit_or_impacket_smb_psexec_service_install.yml;False
win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml;False
win_security_net_ntlm_downgrade.yml;False
win_security_net_share_obj_susp_desktop_ini.yml;False
win_security_new_or_renamed_user_account_with_dollar_sign.yml;False
win_security_not_allowed_rdp_access.yml;False
win_security_password_policy_enumerated.yml;False
win_security_pcap_drivers.yml;False
win_security_petitpotam_network_share.yml;False
win_security_petitpotam_susp_tgt_request.yml;False
win_security_possible_dc_shadow.yml;False
win_security_powershell_script_installed_as_service.yml;False
win_security_protected_storage_service_access.yml;False
win_security_rdp_reverse_tunnel.yml;False
win_security_register_new_logon_process_by_rubeus.yml;False
win_security_registry_permissions_weakness_check.yml;False
win_security_remote_powershell_session.yml;False
win_security_replay_attack_detected.yml;False
win_security_sam_registry_hive_handle_request.yml;False
win_security_scm_database_handle_failure.yml;False
win_security_scm_database_privileged_operation.yml;False
win_security_service_installation_by_unusal_client.yml;False
win_security_service_install_remote_access_software.yml;False
win_security_smb_file_creation_admin_shares.yml;False
win_security_susp_add_domain_trust.yml;False
win_security_susp_add_sid_history.yml;False
win_security_susp_computer_name.yml;False
win_security_susp_dsrm_password_change.yml;False
win_security_susp_failed_logon_reasons.yml;False
win_security_susp_kerberos_manipulation.yml;False
win_security_susp_ldap_dataexchange.yml;False
win_security_susp_local_anon_logon_created.yml;False
win_security_susp_logon_explicit_credentials.yml;True
win_security_susp_lsass_dump.yml;False
win_security_susp_lsass_dump_generic.yml;False
win_security_susp_net_recon_activity.yml;False
win_security_susp_opened_encrypted_zip.yml;False
win_security_susp_opened_encrypted_zip_filename.yml;False
win_security_susp_opened_encrypted_zip_outlook.yml;False
win_security_susp_outbound_kerberos_connection.yml;True
win_security_susp_possible_shadow_credentials_added.yml;False
win_security_susp_psexec.yml;False
win_security_susp_raccess_sensitive_fext.yml;False
win_security_susp_rc4_kerberos.yml;False
win_security_susp_scheduled_task_creation.yml;False
win_security_susp_scheduled_task_delete_or_disable.yml;False
win_security_susp_scheduled_task_update.yml;False
win_security_susp_sdelete.yml;False
win_security_susp_time_modification.yml;False
win_security_svcctl_remote_service.yml;False
win_security_syskey_registry_access.yml;False
win_security_sysmon_channel_reference_deletion.yml;False
win_security_tap_driver_installation.yml;False
win_security_teams_suspicious_objectaccess.yml;False
win_security_transf_files_with_cred_data_via_network_shares.yml;False
win_security_user_added_to_local_administrators.yml;False
win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml;False
win_security_user_creation.yml;False
win_security_user_driver_loaded.yml;False
win_security_user_logoff.yml;False
win_security_vssaudit_secevent_source_registration.yml;False
win_security_windows_defender_exclusions_registry_modified.yml;False
win_security_windows_defender_exclusions_write_access.yml;False
win_security_windows_defender_exclusions_write_deleted.yml;False
win_security_wmiprvse_wbemcomn_dll_hijack.yml;False
win_security_wmi_persistence.yml;False
win_security_workstation_was_locked.yml;False
win_security_access_token_abuse.yml;False
win_security_admin_rdp_login.yml;False
win_security_diagtrack_eop_default_login_username.yml;False
win_security_member_added_security_enabled_global_group.yml;False
win_security_member_removed_security_enabled_global_group.yml;False
win_security_overpass_the_hash.yml;True
win_security_pass_the_hash_2.yml;True
win_security_rdp_bluekeep_poc_scanner.yml;False
win_security_rdp_localhost_login.yml;False
win_security_scrcons_remote_wmi_scripteventconsumer.yml;False
win_security_security_enabled_global_group_deleted.yml;False
win_security_successful_external_remote_rdp_login.yml;False
win_security_successful_external_remote_smb_login.yml;False
win_security_susp_failed_logon_source.yml;False
win_security_susp_krbrelayup.yml;False
win_security_susp_logon_newcredentials.yml;False
win_security_susp_rottenpotato.yml;False
win_security_susp_wmi_login.yml;False
win_security_wfp_endpoint_agent_blocked.yml;False
win_security_mitigations_defender_load_unsigned_dll.yml;False
win_security_mitigations_unsigned_dll_from_susp_location.yml;False
win_hybridconnectionmgr_svc_running.yml;False
win_shell_core_susp_packages_installed.yml;False
win_smbclient_security_susp_failed_guest_logon.yml;False
win_system_application_sysmon_crash.yml;False
win_system_lsasrv_ntlmv1.yml;False
win_system_adcs_enrollment_request_denied.yml;False
win_system_susp_dhcp_config.yml;False
win_system_susp_dhcp_config_failed.yml;False
win_system_exploit_cve_2021_42287.yml;False
win_system_lpe_indicators_tabtip.yml;False
win_system_eventlog_cleared.yml;True
win_system_susp_eventlog_cleared.yml;False
win_system_kdcsvc_cert_use_no_strong_mapping.yml;False
win_system_kdcsvc_rc4_downgrade.yml;False
win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml;False
win_system_susp_critical_hive_location_access_bits_cleared.yml;False
win_system_volume_shadow_copy_mount.yml;False
win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml;False
win_system_susp_system_update_error.yml;False
win_system_possible_zerologon_exploitation_using_wellknown_tools.yml;False
win_system_vul_cve_2020_1472.yml;False
win_system_ntfs_vuln_exploit.yml;False
win_system_cobaltstrike_service_installs.yml;False
win_system_defender_disabled.yml;False
win_system_hack_smbexec.yml;False
win_system_invoke_obfuscation_clip_services.yml;False
win_system_invoke_obfuscation_obfuscated_iex_services.yml;False
win_system_invoke_obfuscation_stdin_services.yml;False
win_system_invoke_obfuscation_var_services.yml;False
win_system_invoke_obfuscation_via_compress_services.yml;False
win_system_invoke_obfuscation_via_rundll_services.yml;False
win_system_invoke_obfuscation_via_stdin_services.yml;False
win_system_invoke_obfuscation_via_use_clip_services.yml;False
win_system_invoke_obfuscation_via_use_mshta_services.yml;False
win_system_invoke_obfuscation_via_use_rundll32_services.yml;False
win_system_invoke_obfuscation_via_var_services.yml;False
win_system_krbrelayup_service_installation.yml;False
win_system_mal_creddumper.yml;False
win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml;True
win_system_moriya_rootkit.yml;False
win_system_powershell_script_installed_as_service.yml;False
win_system_service_install_anydesk.yml;False
win_system_service_install_csexecsvc.yml;False
win_system_service_install_hacktools.yml;False
win_system_service_install_mesh_agent.yml;False
win_system_service_install_netsupport_manager.yml;False
win_system_service_install_paexec.yml;False
win_system_service_install_pdqdeploy.yml;False
win_system_service_install_pdqdeploy_runner.yml;False
win_system_service_install_pua_proceshacker.yml;False
win_system_service_install_remcom.yml;False
win_system_service_install_remote_access_software.yml;False
win_system_service_install_remote_utilities.yml;False
win_system_service_install_sliver.yml;False
win_system_service_install_sups_unusal_client.yml;False
win_system_service_install_susp.yml;True
win_system_service_install_sysinternals_psexec.yml;True
win_system_service_install_tacticalrmm.yml;False
win_system_service_install_tap_driver.yml;False
win_system_service_install_uncommon.yml;False
win_system_service_terminated_error_generic.yml;False
win_system_service_terminated_error_important.yml;False
win_system_service_terminated_unexpectedly.yml;False
win_system_susp_rtcore64_service_install.yml;False
win_system_susp_service_installation_folder.yml;True
win_system_susp_service_installation_folder_pattern.yml;False
win_system_susp_service_installation_script.yml;False
win_system_rdp_potential_cve_2019_0708.yml;False
win_taskscheduler_execution_from_susp_locations.yml;False
win_taskscheduler_lolbin_execution_via_task_scheduler.yml;False
win_taskscheduler_susp_schtasks_delete.yml;True
win_terminalservices_rdp_ngrok.yml;False
win_defender_antimalware_platform_expired.yml;False
win_defender_asr_lsass_access.yml;False
win_defender_asr_psexec_wmi.yml;False
win_defender_config_change_exclusion_added.yml;False
win_defender_config_change_exploit_guard_tamper.yml;False
win_defender_config_change_sample_submission_consent.yml;False
win_defender_history_delete.yml;False
win_defender_malware_and_pua_scan_disabled.yml;False
win_defender_malware_detected_amsi_source.yml;False
win_defender_real_time_protection_disabled.yml;False
win_defender_real_time_protection_errors.yml;False
win_defender_restored_quarantine_file.yml;False
win_defender_suspicious_features_tampering.yml;False
win_defender_tamper_protection_trigger.yml;False
win_defender_threat.yml;False
win_defender_virus_scan_disabled.yml;False
win_wmi_persistence.yml;True
create_remote_thread_win_hktl_cactustorch.yml;False
create_remote_thread_win_hktl_cobaltstrike.yml;False
create_remote_thread_win_keepass.yml;False
create_remote_thread_win_mstsc_susp_location.yml;False
create_remote_thread_win_powershell_lsass.yml;False
create_remote_thread_win_powershell_susp_targets.yml;False
create_remote_thread_win_susp_password_dumper_lsass.yml;False
create_remote_thread_win_susp_relevant_source_image.yml;False
create_remote_thread_win_susp_uncommon_source_image.yml;True
create_remote_thread_win_susp_uncommon_target_image.yml;True
create_remote_thread_win_ttdinjec.yml;False
create_stream_hash_ads_executable.yml;True
create_stream_hash_creation_internet_file.yml;True
create_stream_hash_file_sharing_domains_download_susp_extension.yml;False
create_stream_hash_file_sharing_domains_download_unusual_extension.yml;False
create_stream_hash_hktl_generic_download.yml;False
create_stream_hash_regedit_export_to_ads.yml;False
create_stream_hash_susp_ip_domains.yml;False
create_stream_hash_winget_susp_package_source.yml;False
create_stream_hash_zip_tld_download.yml;False
dns_query_win_anonymfiles_com.yml;False
dns_query_win_appinstaller.yml;False
dns_query_win_cloudflared_communication.yml;False
dns_query_win_devtunnels_communication.yml;False
dns_query_win_dns_server_discovery_via_ldap_query.yml;False
dns_query_win_hybridconnectionmgr_servicebus.yml;False
dns_query_win_mal_cobaltstrike.yml;False
dns_query_win_mega_nz.yml;False
dns_query_win_onelaunch_update_service.yml;False
dns_query_win_regsvr32_dns_query.yml;True
dns_query_win_remote_access_software_domains_non_browsers.yml;True
dns_query_win_susp_external_ip_lookup.yml;False
dns_query_win_teamviewer_domain_query_by_uncommon_app.yml;False
dns_query_win_tor_onion_domain_query.yml;False
dns_query_win_ufile_io_query.yml;False
dns_query_win_vscode_tunnel_communication.yml;False
driver_load_win_mal_drivers.yml;False
driver_load_win_mal_drivers_names.yml;False
driver_load_win_pua_process_hacker.yml;False
driver_load_win_pua_system_informer.yml;False
driver_load_win_susp_temp_use.yml;False
driver_load_win_vuln_drivers.yml;False
driver_load_win_vuln_drivers_names.yml;False
driver_load_win_vuln_hevd_driver.yml;False
driver_load_win_vuln_winring0_driver.yml;False
driver_load_win_windivert.yml;False
file_access_win_browser_credential_access.yml;True
file_access_win_credential_manager_access.yml;False
file_access_win_dpapi_master_key_access.yml;False
file_access_win_outlook_mail_credential_access.yml;False
file_access_win_reg_and_hive_access.yml;False
file_access_win_susp_cred_hist_access.yml;False
file_access_win_susp_gpo_access_file.yml;False
file_change_win_2022_timestomping.yml;False
file_change_win_unusual_modification_by_dns_exe.yml;False
file_delete_win_cve_2021_1675_print_nightmare.yml;False
file_delete_win_delete_backup_file.yml;True
file_delete_win_delete_event_log_files.yml;False
file_delete_win_delete_exchange_powershell_logs.yml;False
file_delete_win_delete_iis_access_logs.yml;False
file_delete_win_delete_powershell_command_history.yml;False
file_delete_win_delete_prefetch.yml;True
file_delete_win_delete_teamviewer_logs.yml;True
file_delete_win_delete_tomcat_logs.yml;False
file_delete_win_sysinternals_sdelete_file_deletion.yml;True
file_delete_win_unusual_deletion_by_dns_exe.yml;False
file_delete_win_zone_identifier_ads_uncommon.yml;False
file_event_win_access_susp_teams.yml;False
file_event_win_access_susp_unattend_xml.yml;True
file_event_win_adsi_cache_creation_by_uncommon_tool.yml;False
file_event_win_advanced_ip_scanner.yml;False
file_event_win_anydesk_artefact.yml;True
file_event_win_anydesk_writing_susp_binaries.yml;False
file_event_win_aspnet_temp_files.yml;False
file_event_win_bloodhound_collection.yml;False
file_event_win_create_evtx_non_common_locations.yml;False
file_event_win_create_non_existent_dlls.yml;False
file_event_win_creation_new_shim_database.yml;True
file_event_win_creation_scr_binary_file.yml;True
file_event_win_creation_system_file.yml;True
file_event_win_creation_unquoted_service_path.yml;True
file_event_win_cred_dump_tools_dropped_files.yml;False
file_event_win_cscript_wscript_dropper.yml;False
file_event_win_csexec_service.yml;False
file_event_win_csharp_compile_artefact.yml;True
file_event_win_dcom_iertutil_dll_hijack.yml;False
file_event_win_dll_sideloading_space_path.yml;False
file_event_win_dump_file_susp_creation.yml;False
file_event_win_errorhandler_persistence.yml;False
file_event_win_exchange_webshell_drop.yml;False
file_event_win_exchange_webshell_drop_suspicious.yml;False
file_event_win_gotoopener_artefact.yml;True
file_event_win_hktl_crackmapexec_indicators.yml;False
file_event_win_hktl_dumpert.yml;True
file_event_win_hktl_hivenightmare_file_exports.yml;False
file_event_win_hktl_inveigh_artefacts.yml;False
file_event_win_hktl_mimikatz_files.yml;False
file_event_win_hktl_nppspy.yml;True
file_event_win_hktl_powerup_dllhijacking.yml;True
file_event_win_hktl_quarkspw_filedump.yml;False
file_event_win_hktl_remote_cred_dump.yml;False
file_event_win_hktl_safetykatz.yml;False
file_event_win_initial_access_dll_search_order_hijacking.yml;False
file_event_win_install_teamviewer_desktop.yml;True
file_event_win_iphlpapi_dll_sideloading.yml;False
file_event_win_iso_file_mount.yml;False
file_event_win_iso_file_recent.yml;False
file_event_win_lolbin_gather_network_info_script_output.yml;False
file_event_win_lsass_default_dump_file_names.yml;True
file_event_win_lsass_shtinkering.yml;False
file_event_win_lsass_werfault_dump.yml;False
file_event_win_mal_adwind.yml;False
file_event_win_mal_octopus_scanner.yml;True
file_event_win_msdt_susp_directories.yml;False
file_event_win_net_cli_artefact.yml;True
file_event_win_new_files_in_uncommon_appdata_folder.yml;False
file_event_win_new_scr_file.yml;True
file_event_win_notepad_plus_plus_persistence.yml;False
file_event_win_ntds_dit_creation.yml;False
file_event_win_ntds_dit_uncommon_parent_process.yml;False
file_event_win_ntds_dit_uncommon_process.yml;False
file_event_win_ntds_exfil_tools.yml;False
file_event_win_office_addin_persistence.yml;True
file_event_win_office_macro_files_created.yml;False
file_event_win_office_macro_files_downloaded.yml;False
file_event_win_office_macro_files_from_susp_process.yml;True
file_event_win_office_onenote_files_in_susp_locations.yml;False
file_event_win_office_onenote_susp_dropped_files.yml;False
file_event_win_office_outlook_macro_creation.yml;True
file_event_win_office_outlook_newform.yml;True
file_event_win_office_outlook_susp_macro_creation.yml;False
file_event_win_office_publisher_files_in_susp_locations.yml;False
file_event_win_office_startup_persistence.yml;False
file_event_win_office_susp_file_extension.yml;True
file_event_win_office_uncommon_file_startup.yml;False
file_event_win_pcre_net_temp_file.yml;False
file_event_win_perflogs_susp_files.yml;False
file_event_win_powershell_drop_binary_or_script.yml;True
file_event_win_powershell_drop_powershell.yml;False
file_event_win_powershell_exploit_scripts.yml;True
file_event_win_powershell_module_creation.yml;False
file_event_win_powershell_module_susp_creation.yml;False
file_event_win_powershell_module_uncommon_creation.yml;False
file_event_win_powershell_startup_shortcuts.yml;True
file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml;False
file_event_win_rclone_config_files.yml;False
file_event_win_rdp_file_susp_creation.yml;False
file_event_win_redmimicry_winnti_filedrop.yml;False
file_event_win_remcom_service.yml;False
file_event_win_remote_access_tools_screenconnect_artefact.yml;True
file_event_win_remote_access_tools_screenconnect_remote_file.yml;False
file_event_win_ripzip_attack.yml;False
file_event_win_sam_dump.yml;True
file_event_win_sed_file_creation.yml;False
file_event_win_shell_write_susp_directory.yml;True
file_event_win_shell_write_susp_files_extensions.yml;False
file_event_win_startup_folder_file_write.yml;True
file_event_win_susp_colorcpl.yml;False
file_event_win_susp_creation_by_mobsync.yml;False
file_event_win_susp_default_gpo_dir_write.yml;False
file_event_win_susp_desktopimgdownldr_file.yml;False
file_event_win_susp_desktop_ini.yml;False
file_event_win_susp_desktop_txt.yml;True
file_event_win_susp_diagcab.yml;False
file_event_win_susp_double_extension.yml;False
file_event_win_susp_exchange_aspx_write.yml;False
file_event_win_susp_executable_creation.yml;False
file_event_win_susp_get_variable.yml;True
file_event_win_susp_hidden_dir_index_allocation.yml;False
file_event_win_susp_homoglyph_filename.yml;False
file_event_win_susp_legitimate_app_dropping_archive.yml;False
file_event_win_susp_legitimate_app_dropping_exe.yml;False
file_event_win_susp_legitimate_app_dropping_script.yml;False
file_event_win_susp_lnk_double_extension.yml;False
file_event_win_susp_pfx_file_creation.yml;True
file_event_win_susp_powershell_profile.yml;False
file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml;False
file_event_win_susp_recycle_bin_fake_exec.yml;False
file_event_win_susp_spool_drivers_color_drop.yml;False
file_event_win_susp_startup_folder_persistence.yml;False
file_event_win_susp_system_interactive_powershell.yml;False
file_event_win_susp_task_write.yml;False
file_event_win_susp_teamviewer_remote_session.yml;False
file_event_win_susp_vscode_powershell_profile.yml;False
file_event_win_susp_windows_terminal_profile.yml;False
file_event_win_susp_winsxs_binary_creation.yml;False
file_event_win_sysinternals_livekd_default_dump_name.yml;False
file_event_win_sysinternals_livekd_driver.yml;False
file_event_win_sysinternals_livekd_driver_susp_creation.yml;False
file_event_win_sysinternals_procexp_driver_susp_creation.yml;False
file_event_win_sysinternals_procmon_driver_susp_creation.yml;False
file_event_win_sysinternals_psexec_service.yml;True
file_event_win_sysinternals_psexec_service_key.yml;False
file_event_win_system32_local_folder_privilege_escalation.yml;False
file_event_win_taskmgr_lsass_dump.yml;False
file_event_win_tsclient_filewrite_startup.yml;False
file_event_win_uac_bypass_consent_comctl32.yml;False
file_event_win_uac_bypass_dotnet_profiler.yml;False
file_event_win_uac_bypass_eventvwr.yml;False
file_event_win_uac_bypass_idiagnostic_profile.yml;False
file_event_win_uac_bypass_ieinstal.yml;False
file_event_win_uac_bypass_msconfig_gui.yml;False
file_event_win_uac_bypass_ntfs_reparse_point.yml;False
file_event_win_uac_bypass_winsat.yml;False
file_event_win_uac_bypass_wmp.yml;False
file_event_win_vhd_download_via_browsers.yml;False
file_event_win_vscode_tunnel_remote_creation_artefacts.yml;False
file_event_win_vscode_tunnel_renamed_execution.yml;False
file_event_win_webshell_creation_detect.yml;True
file_event_win_werfault_dll_hijacking.yml;False
file_event_win_winrm_awl_bypass.yml;False
file_event_win_wmiexec_default_filename.yml;False
file_event_win_wmiprvse_wbemcomn_dll_hijack.yml;False
file_event_win_wmi_persistence_script_event_consumer_write.yml;False
file_event_win_wpbbin_persistence.yml;False
file_event_win_writing_local_admin_share.yml;True
file_executable_detected_win_susp_embeded_sed_file.yml;False
file_rename_win_ransomware.yml;False
image_load_cmstp_load_dll_from_susp_location.yml;False
image_load_dll_amsi_suspicious_process.yml;False
image_load_dll_azure_microsoft_account_token_provider_dll_load.yml;False
image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml;False
image_load_dll_credui_uncommon_process_load.yml;True
image_load_dll_dbghelp_dbgcore_unsigned_load.yml;False
image_load_dll_pcre_dotnet_dll_load.yml;False
image_load_dll_rstrtmgr_suspicious_load.yml;False
image_load_dll_rstrtmgr_uncommon_load.yml;False
image_load_dll_sdiageng_load_by_msdt.yml;False
image_load_dll_system_management_automation_susp_load.yml;True
image_load_dll_tttracer_module_load.yml;False
image_load_dll_vssapi_susp_load.yml;False
image_load_dll_vsstrace_susp_load.yml;False
image_load_dll_vss_ps_susp_load.yml;True
image_load_hktl_sharpevtmute.yml;False
image_load_hktl_silenttrinity_stager.yml;False
image_load_iexplore_dcom_iertutil_dll_hijack.yml;False
image_load_lsass_unsigned_image_load.yml;False
image_load_office_dotnet_assembly_dll_load.yml;True
image_load_office_dotnet_clr_dll_load.yml;True
image_load_office_dotnet_gac_dll_load.yml;True
image_load_office_dsparse_dll_load.yml;False
image_load_office_excel_xll_susp_load.yml;False
image_load_office_kerberos_dll_load.yml;False
image_load_office_outlook_outlvba_load.yml;False
image_load_office_powershell_dll_load.yml;False
image_load_office_vbadll_load.yml;True
image_load_rundll32_remote_share_load.yml;False
image_load_scrcons_wmi_scripteventconsumer.yml;False
image_load_side_load_7za.yml;False
image_load_side_load_abused_dlls_susp_paths.yml;False
image_load_side_load_antivirus.yml;False
image_load_side_load_appverifui.yml;False
image_load_side_load_aruba_networks_virtual_intranet_access.yml;False
image_load_side_load_avkkid.yml;False
image_load_side_load_ccleaner_du.yml;False
image_load_side_load_ccleaner_reactivator.yml;False
image_load_side_load_chrome_frame_helper.yml;False
image_load_side_load_classicexplorer32.yml;False
image_load_side_load_comctl32.yml;False
image_load_side_load_coregen.yml;False
image_load_side_load_cpl_from_non_system_location.yml;False
image_load_side_load_dbgcore_dll.yml;False
image_load_side_load_dbghelp_dll.yml;False
image_load_side_load_eacore.yml;False
image_load_side_load_edputil.yml;False
image_load_side_load_from_non_system_location.yml;False
image_load_side_load_goopdate.yml;False
image_load_side_load_gup_libcurl.yml;False
image_load_side_load_iviewers.yml;False
image_load_side_load_jsschhlp.yml;False
image_load_side_load_keyscrambler.yml;False
image_load_side_load_libvlc.yml;False
image_load_side_load_mfdetours.yml;False
image_load_side_load_mfdetours_unsigned.yml;False
image_load_side_load_non_existent_dlls.yml;False
image_load_side_load_office_dlls.yml;False
image_load_side_load_rcdll.yml;False
image_load_side_load_rjvplatform_default_location.yml;False
image_load_side_load_rjvplatform_non_default_location.yml;False
image_load_side_load_robform.yml;False
image_load_side_load_shelldispatch.yml;False
image_load_side_load_shell_chrome_api.yml;False
image_load_side_load_smadhook.yml;False
image_load_side_load_solidpdfcreator.yml;False
image_load_side_load_third_party.yml;False
image_load_side_load_ualapi.yml;False
image_load_side_load_vivaldi_elf.yml;False
image_load_side_load_vmguestlib.yml;False
image_load_side_load_vmmap_dbghelp_signed.yml;False
image_load_side_load_vmmap_dbghelp_unsigned.yml;False
image_load_side_load_vmware_xfer.yml;False
image_load_side_load_waveedit.yml;False
image_load_side_load_wazuh.yml;False
image_load_side_load_windows_defender.yml;False
image_load_side_load_wwlib.yml;False
image_load_spoolsv_dll_load.yml;False
image_load_susp_clickonce_unsigned_module_loaded.yml;False
image_load_susp_dll_load_system_process.yml;True
image_load_susp_python_image_load.yml;True
image_load_susp_script_dotnet_clr_dll_load.yml;False
image_load_susp_unsigned_dll.yml;False
image_load_thor_unsigned_execution.yml;False
image_load_uac_bypass_iscsicpl.yml;False
image_load_uac_bypass_via_dism.yml;False
image_load_wmic_remote_xsl_scripting_dlls.yml;True
image_load_wmiprvse_wbemcomn_dll_hijack.yml;False
image_load_wmi_persistence_commandline_event_consumer.yml;False
image_load_wsman_provider_image_load.yml;True
net_connection_win_addinutil.yml;False
net_connection_win_certutil_initiated_connection.yml;False
net_connection_win_dialer_initiated_connection.yml;False
net_connection_win_dllhost_non_local_ip.yml;False
net_connection_win_domain_mega_nz.yml;False
net_connection_win_domain_ngrok.yml;False
net_connection_win_domain_ngrok_tunnel.yml;False
net_connection_win_eqnedt.yml;False
net_connection_win_imewdbld.yml;True
net_connection_win_msiexec_http.yml;True
net_connection_win_notepad.yml;False
net_connection_win_notion_api_susp_communication.yml;False
net_connection_win_office_outbound_non_local_ip.yml;True
net_connection_win_office_uncommon_ports.yml;False
net_connection_win_python.yml;True
net_connection_win_rdp_outbound_over_non_standard_tools.yml;True
net_connection_win_rdp_reverse_tunnel.yml;False
net_connection_win_rdp_to_http.yml;False
net_connection_win_regasm_network_activity.yml;False
net_connection_win_regsvr32_network_activity.yml;True
net_connection_win_rundll32_net_connections.yml;True
net_connection_win_script.yml;True
net_connection_win_script_wan.yml;True
net_connection_win_silenttrinity_stager_msbuild_activity.yml;False
net_connection_win_susp_binary_no_cmdline.yml;False
net_connection_win_susp_cmstp.yml;False
net_connection_win_susp_crypto_mining_pools.yml;False
net_connection_win_susp_dead_drop_resolvers.yml;False
net_connection_win_susp_devtunnel_connection.yml;False
net_connection_win_susp_dropbox_api.yml;False
net_connection_win_susp_external_ip_lookup.yml;False
net_connection_win_susp_file_sharing_domains_susp_folders.yml;True
net_connection_win_susp_google_api_non_browser_access.yml;False
net_connection_win_susp_malware_callback_port.yml;False
net_connection_win_susp_malware_callback_ports_uncommon.yml;False
net_connection_win_susp_outbound_kerberos_connection.yml;True
net_connection_win_susp_outbound_mobsync_connection.yml;False
net_connection_win_susp_outbound_smtp_connections.yml;True
net_connection_win_susp_prog_location_network_connection.yml;False
net_connection_win_susp_remote_powershell_session.yml;True
net_connection_win_telegram_api_non_browser_access.yml;False
net_connection_win_vscode_tunnel_connection.yml;False
net_connection_win_winlogon_net_connections.yml;False
net_connection_win_wordpad_uncommon_ports.yml;False
net_connection_win_wuauclt_network_connection.yml;False
pipe_created_adfs_namedpipe_connection_uncommon_tool.yml;False
pipe_created_hktl_cobaltstrike.yml;True
pipe_created_hktl_cobaltstrike_re.yml;False
pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml;False
pipe_created_hktl_coercedpotato.yml;False
pipe_created_hktl_diagtrack_eop.yml;False
pipe_created_hktl_efspotato.yml;True
pipe_created_hktl_generic_cred_dump_tools_pipes.yml;False
pipe_created_hktl_koh_default_pipe.yml;False
pipe_created_powershell_alternate_host_pipe.yml;False
pipe_created_powershell_execution_pipe.yml;False
pipe_created_pua_csexec_default_pipe.yml;False
pipe_created_pua_paexec_default_pipe.yml;False
pipe_created_pua_remcom_default_pipe.yml;False
pipe_created_scrcons_wmi_consumer_namedpipe.yml;False
pipe_created_susp_malicious_namedpipes.yml;False
pipe_created_sysinternals_psexec_default_pipe_susp_location.yml;False
posh_pc_abuse_nslookup_with_dns_records.yml;False
posh_pc_delete_volume_shadow_copies.yml;False
posh_pc_downgrade_attack.yml;False
posh_pc_exe_calling_ps.yml;False
posh_pc_powercat.yml;False
posh_pc_remotefxvgpudisablement_abuse.yml;False
posh_pc_remote_powershell_session.yml;False
posh_pc_renamed_powershell.yml;False
posh_pc_susp_download.yml;False
posh_pc_susp_get_nettcpconnection.yml;False
posh_pc_susp_zip_compress.yml;False
posh_pc_tamper_windows_defender_set_mp.yml;False
posh_pc_wsman_com_provider_no_powershell.yml;False
posh_pc_xor_commandline.yml;False
posh_pm_active_directory_module_dll_import.yml;False
posh_pm_alternate_powershell_hosts.yml;True
posh_pm_bad_opsec_artifacts.yml;True
posh_pm_clear_powershell_history.yml;True
posh_pm_decompress_commands.yml;False
posh_pm_exploit_scripts.yml;True
posh_pm_get_addbaccount.yml;False
posh_pm_get_clipboard.yml;True
posh_pm_invoke_obfuscation_clip.yml;False
posh_pm_invoke_obfuscation_obfuscated_iex.yml;False
posh_pm_invoke_obfuscation_stdin.yml;False
posh_pm_invoke_obfuscation_var.yml;False
posh_pm_invoke_obfuscation_via_compress.yml;False
posh_pm_invoke_obfuscation_via_rundll.yml;False
posh_pm_invoke_obfuscation_via_stdin.yml;False
posh_pm_invoke_obfuscation_via_use_clip.yml;False
posh_pm_invoke_obfuscation_via_use_mhsta.yml;False
posh_pm_invoke_obfuscation_via_use_rundll32.yml;False
posh_pm_invoke_obfuscation_via_var.yml;False
posh_pm_malicious_commandlets.yml;True
posh_pm_remotefxvgpudisablement_abuse.yml;True
posh_pm_remote_powershell_session.yml;False
posh_pm_susp_ad_group_reco.yml;True
posh_pm_susp_download.yml;True
posh_pm_susp_get_nettcpconnection.yml;True
posh_pm_susp_invocation_generic.yml;False
posh_pm_susp_invocation_specific.yml;True
posh_pm_susp_local_group_reco.yml;True
posh_pm_susp_reset_computermachinepassword.yml;False
posh_pm_susp_smb_share_reco.yml;True
posh_pm_susp_zip_compress.yml;True
posh_pm_syncappvpublishingserver_exe.yml;False
posh_ps_aadinternals_cmdlets_execution.yml;False
posh_ps_access_to_browser_login_data.yml;True
posh_ps_active_directory_module_dll_import.yml;False
posh_ps_add_dnsclient_rule.yml;False
posh_ps_add_windows_capability.yml;False
posh_ps_adrecon_execution.yml;True
posh_ps_amsi_bypass_pattern_nov22.yml;False
posh_ps_amsi_null_bits_bypass.yml;False
posh_ps_apt_silence_eda.yml;False
posh_ps_as_rep_roasting.yml;True
posh_ps_audio_exfiltration.yml;False
posh_ps_automated_collection.yml;True
posh_ps_capture_screenshots.yml;True
posh_ps_clearing_windows_console_history.yml;True
posh_ps_clear_powershell_history.yml;False
posh_ps_cmdlet_scheduled_task.yml;True
posh_ps_computer_discovery_get_adcomputer.yml;False
posh_ps_copy_item_system_directory.yml;True
posh_ps_cor_profiler.yml;True
posh_ps_create_local_user.yml;True
posh_ps_create_volume_shadow_copy.yml;True
posh_ps_detect_vm_env.yml;True
posh_ps_directorysearcher.yml;True
posh_ps_directoryservices_accountmanagement.yml;True
posh_ps_disable_psreadline_command_history.yml;False
posh_ps_disable_windows_optional_feature.yml;True
posh_ps_dotnet_assembly_from_file.yml;False
posh_ps_download_com_cradles.yml;False
posh_ps_dump_password_windows_credential_manager.yml;True
posh_ps_enable_psremoting.yml;True
posh_ps_enable_susp_windows_optional_feature.yml;False
posh_ps_enumerate_password_windows_credential_manager.yml;True
posh_ps_etw_trace_evasion.yml;False
posh_ps_exchange_mailbox_smpt_forwarding_rule.yml;False
posh_ps_export_certificate.yml;True
posh_ps_frombase64string_archive.yml;False
posh_ps_get_acl_service.yml;True
posh_ps_get_adcomputer.yml;True
posh_ps_get_adgroup.yml;True
posh_ps_get_adreplaccount.yml;True
posh_ps_get_childitem_bookmarks.yml;True
posh_ps_get_process_security_software_discovery.yml;True
posh_ps_hktl_rubeus.yml;False
posh_ps_hktl_winpwn.yml;False
posh_ps_hotfix_enum.yml;False
posh_ps_icmp_exfiltration.yml;True
posh_ps_import_module_susp_dirs.yml;False
posh_ps_install_unsigned_appx_packages.yml;False
posh_ps_invoke_command_remote.yml;True
posh_ps_invoke_dnsexfiltration.yml;True
posh_ps_invoke_obfuscation_clip.yml;False
posh_ps_invoke_obfuscation_obfuscated_iex.yml;False
posh_ps_invoke_obfuscation_stdin.yml;False
posh_ps_invoke_obfuscation_var.yml;False
posh_ps_invoke_obfuscation_via_compress.yml;False
posh_ps_invoke_obfuscation_via_rundll.yml;False
posh_ps_invoke_obfuscation_via_stdin.yml;False
posh_ps_invoke_obfuscation_via_use_clip.yml;False
posh_ps_invoke_obfuscation_via_use_mhsta.yml;False
posh_ps_invoke_obfuscation_via_use_rundll32.yml;False
posh_ps_invoke_obfuscation_via_var.yml;False
posh_ps_keylogging.yml;True
posh_ps_localuser.yml;True
posh_ps_mailboxexport_share.yml;False
posh_ps_malicious_commandlets.yml;True
posh_ps_malicious_keywords.yml;True
posh_ps_memorydump_getstoragediagnosticinfo.yml;False
posh_ps_modify_group_policy_settings.yml;True
posh_ps_msxml_com.yml;True
posh_ps_nishang_malicious_commandlets.yml;True
posh_ps_ntfs_ads_access.yml;True
posh_ps_office_comobject_registerxll.yml;True
posh_ps_packet_capture.yml;False
posh_ps_potential_invoke_mimikatz.yml;False
posh_ps_powerview_malicious_commandlets.yml;True
posh_ps_prompt_credentials.yml;True
posh_ps_psasyncshell.yml;False
posh_ps_psattack.yml;False
posh_ps_remotefxvgpudisablement_abuse.yml;False
posh_ps_remote_session_creation.yml;True
posh_ps_request_kerberos_ticket.yml;True
posh_ps_resolve_list_of_ip_from_file.yml;False
posh_ps_root_certificate_installed.yml;True
posh_ps_run_from_mount_diskimage.yml;True
posh_ps_script_with_upload_capabilities.yml;True
posh_ps_send_mailmessage.yml;True
posh_ps_sensitive_file_discovery.yml;False
posh_ps_set_acl.yml;False
posh_ps_set_acl_susp_location.yml;False
posh_ps_set_policies_to_unsecure_level.yml;True
posh_ps_shellcode_b64.yml;False
posh_ps_shellintel_malicious_commandlets.yml;True
posh_ps_software_discovery.yml;True
posh_ps_store_file_in_alternate_data_stream.yml;True
posh_ps_susp_ace_tampering.yml;False
posh_ps_susp_ad_group_reco.yml;True
posh_ps_susp_alias_obfscuation.yml;False
posh_ps_susp_clear_eventlog.yml;False
posh_ps_susp_directory_enum.yml;True
posh_ps_susp_download.yml;True
posh_ps_susp_execute_batch_script.yml;True
posh_ps_susp_extracting.yml;True
posh_ps_susp_follina_execution.yml;False
posh_ps_susp_getprocess_lsass.yml;True
posh_ps_susp_gettypefromclsid.yml;True
posh_ps_susp_get_addefaultdomainpasswordpolicy.yml;True
posh_ps_susp_get_current_user.yml;True
posh_ps_susp_get_gpo.yml;True
posh_ps_susp_get_process.yml;True
posh_ps_susp_hyper_v_condlet.yml;True
posh_ps_susp_invocation_generic.yml;False
posh_ps_susp_invocation_specific.yml;True
posh_ps_susp_invoke_webrequest_useragent.yml;True
posh_ps_susp_iofilestream.yml;True
posh_ps_susp_keylogger_activity.yml;False
posh_ps_susp_keywords.yml;True
posh_ps_susp_local_group_reco.yml;True
posh_ps_susp_mail_acces.yml;True
posh_ps_susp_mounted_share_deletion.yml;True
posh_ps_susp_mount_diskimage.yml;True
posh_ps_susp_networkcredential.yml;True
posh_ps_susp_new_psdrive.yml;True
posh_ps_susp_proxy_scripts.yml;False
posh_ps_susp_recon_export.yml;True
posh_ps_susp_remove_adgroupmember.yml;True
posh_ps_susp_service_dacl_modification_set_service.yml;False
posh_ps_susp_set_alias.yml;True
posh_ps_susp_smb_share_reco.yml;True
posh_ps_susp_ssl_keyword.yml;False
posh_ps_susp_start_process.yml;True
posh_ps_susp_unblock_file.yml;True
posh_ps_susp_wallpaper.yml;True
posh_ps_susp_win32_pnpentity.yml;True
posh_ps_susp_win32_shadowcopy.yml;True
posh_ps_susp_win32_shadowcopy_deletion.yml;False
posh_ps_susp_windowstyle.yml;True
posh_ps_susp_write_eventlog.yml;False
posh_ps_susp_zip_compress.yml;True
posh_ps_syncappvpublishingserver_exe.yml;False
posh_ps_tamper_windows_defender_rem_mp.yml;False
posh_ps_tamper_windows_defender_set_mp.yml;True
posh_ps_test_netconnection.yml;True
posh_ps_timestomp.yml;True
posh_ps_token_obfuscation.yml;False
posh_ps_user_discovery_get_aduser.yml;False
posh_ps_user_profile_tampering.yml;True
posh_ps_using_set_service_to_hide_services.yml;False
posh_ps_veeam_credential_dumping_script.yml;False
posh_ps_web_request_cmd_and_cmdlets.yml;True
posh_ps_win32_nteventlogfile_usage.yml;False
posh_ps_win32_product_install_msi.yml;True
posh_ps_windows_firewall_profile_disabled.yml;False
posh_ps_winlogon_helper_dll.yml;True
posh_ps_win_api_susp_access.yml;True
posh_ps_win_defender_exclusions_added.yml;False
posh_ps_wmimplant.yml;False
posh_ps_wmi_persistence.yml;True
posh_ps_wmi_unquoted_service_search.yml;False
posh_ps_x509enrollment.yml;False
posh_ps_xml_iex.yml;True
proc_access_win_cmstp_execution_by_access.yml;False
proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml;False
proc_access_win_hktl_generic_access.yml;False
proc_access_win_hktl_handlekatz_lsass_access.yml;False
proc_access_win_hktl_littlecorporal_generated_maldoc.yml;False
proc_access_win_hktl_sysmonente.yml;False
proc_access_win_lsass_dump_comsvcs_dll.yml;True
proc_access_win_lsass_dump_keyword_image.yml;False
proc_access_win_lsass_memdump.yml;True
proc_access_win_lsass_python_based_tool.yml;False
proc_access_win_lsass_remote_access_trough_winrm.yml;False
proc_access_win_lsass_seclogon_access.yml;False
proc_access_win_lsass_susp_access_flag.yml;True
proc_access_win_lsass_werfault.yml;False
proc_access_win_lsass_whitelisted_process_names.yml;False
proc_access_win_susp_direct_ntopenprocess_call.yml;False
proc_access_win_susp_invoke_patchingapi.yml;False
proc_access_win_susp_shellcode_injection.yml;True
proc_access_win_svchost_credential_dumping.yml;False
proc_access_win_svchost_susp_access_request.yml;False
proc_access_win_uac_bypass_editionupgrademanagerobj.yml;False
proc_access_win_uac_bypass_wow64_logger.yml;False
proc_creation_win_7zip_exfil_dmp_files.yml;False
proc_creation_win_7zip_password_compression.yml;True
proc_creation_win_7zip_password_extraction.yml;False
proc_creation_win_addinutil_suspicious_cmdline.yml;False
proc_creation_win_addinutil_uncommon_child_process.yml;False
proc_creation_win_addinutil_uncommon_cmdline.yml;False
proc_creation_win_addinutil_uncommon_dir_exec.yml;False
proc_creation_win_adplus_memory_dump.yml;False
proc_creation_win_agentexecutor_potential_abuse.yml;False
proc_creation_win_agentexecutor_susp_usage.yml;False
proc_creation_win_appvlp_uncommon_child_process.yml;False
proc_creation_win_aspnet_compiler_exectuion.yml;False
proc_creation_win_aspnet_compiler_susp_child_process.yml;False
proc_creation_win_aspnet_compiler_susp_paths.yml;False
proc_creation_win_atbroker_uncommon_ats_execution.yml;True
proc_creation_win_attrib_hiding_files.yml;True
proc_creation_win_attrib_system_susp_paths.yml;False
proc_creation_win_at_interactive_execution.yml;True
proc_creation_win_auditpol_nt_resource_kit_usage.yml;False
proc_creation_win_auditpol_susp_execution.yml;True
proc_creation_win_bash_command_execution.yml;False
proc_creation_win_bash_file_execution.yml;False
proc_creation_win_bcdedit_boot_conf_tamper.yml;True
proc_creation_win_bcdedit_susp_execution.yml;True
proc_creation_win_bginfo_suspicious_child_process.yml;False
proc_creation_win_bginfo_uncommon_child_process.yml;False
proc_creation_win_bitsadmin_download.yml;True
proc_creation_win_bitsadmin_download_direct_ip.yml;False
proc_creation_win_bitsadmin_download_file_sharing_domains.yml;False
proc_creation_win_bitsadmin_download_susp_extensions.yml;False
proc_creation_win_bitsadmin_download_susp_targetfolder.yml;False
proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml;False
proc_creation_win_bitsadmin_potential_persistence.yml;True
proc_creation_win_browsers_chromium_headless_debugging.yml;False
proc_creation_win_browsers_chromium_headless_exec.yml;True
proc_creation_win_browsers_chromium_headless_file_download.yml;False
proc_creation_win_browsers_chromium_load_extension.yml;False
proc_creation_win_browsers_chromium_mockbin_abuse.yml;True
proc_creation_win_browsers_chromium_susp_load_extension.yml;True
proc_creation_win_browsers_inline_file_download.yml;False
proc_creation_win_browsers_remote_debugging.yml;False
proc_creation_win_browsers_tor_execution.yml;True
proc_creation_win_calc_uncommon_exec.yml;True
proc_creation_win_cdb_arbitrary_command_execution.yml;False
proc_creation_win_certmgr_certificate_installation.yml;False
proc_creation_win_certoc_download.yml;False
proc_creation_win_certoc_download_direct_ip.yml;False
proc_creation_win_certoc_load_dll.yml;False
proc_creation_win_certoc_load_dll_susp_locations.yml;False
proc_creation_win_certutil_certificate_installation.yml;False
proc_creation_win_certutil_decode.yml;False
proc_creation_win_certutil_download.yml;False
proc_creation_win_certutil_download_direct_ip.yml;False
proc_creation_win_certutil_download_file_sharing_domains.yml;False
proc_creation_win_certutil_encode.yml;True
proc_creation_win_certutil_encode_susp_extensions.yml;False
proc_creation_win_certutil_encode_susp_location.yml;False
proc_creation_win_certutil_export_pfx.yml;True
proc_creation_win_certutil_ntlm_coercion.yml;False
proc_creation_win_chcp_codepage_lookup.yml;True
proc_creation_win_chcp_codepage_switch.yml;False
proc_creation_win_cipher_overwrite_deleted_data.yml;True
proc_creation_win_citrix_trolleyexpress_procdump.yml;False
proc_creation_win_clip_execution.yml;True
proc_creation_win_cloudflared_portable_execution.yml;False
proc_creation_win_cloudflared_quicktunnel_execution.yml;False
proc_creation_win_cloudflared_tunnel_cleanup.yml;False
proc_creation_win_cloudflared_tunnel_run.yml;False
proc_creation_win_cmdkey_adding_generic_creds.yml;False
proc_creation_win_cmdkey_recon.yml;True
proc_creation_win_cmdl32_arbitrary_file_download.yml;True
proc_creation_win_cmd_assoc_execution.yml;True
proc_creation_win_cmd_assoc_tamper_exe_file_association.yml;False
proc_creation_win_cmd_copy_dmp_from_share.yml;False
proc_creation_win_cmd_curl_download_exec_combo.yml;False
proc_creation_win_cmd_del_execution.yml;True
proc_creation_win_cmd_del_greedy_deletion.yml;False
proc_creation_win_cmd_dir_execution.yml;True
proc_creation_win_cmd_dosfuscation.yml;False
proc_creation_win_cmd_http_appdata.yml;False
proc_creation_win_cmd_mklink_osk_cmd.yml;True
proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml;True
proc_creation_win_cmd_net_use_and_exec_combo.yml;False
proc_creation_win_cmd_no_space_execution.yml;False
proc_creation_win_cmd_ntdllpipe_redirect.yml;False
proc_creation_win_cmd_path_traversal.yml;False
proc_creation_win_cmd_ping_copy_combined_execution.yml;False
proc_creation_win_cmd_ping_del_combined_execution.yml;False
proc_creation_win_cmd_redirection_susp_folder.yml;False
proc_creation_win_cmd_rmdir_execution.yml;False
proc_creation_win_cmd_shadowcopy_access.yml;True
proc_creation_win_cmd_stdin_redirect.yml;True
proc_creation_win_cmd_sticky_keys_replace.yml;False
proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml;False
proc_creation_win_cmd_type_arbitrary_file_download.yml;False
proc_creation_win_cmd_unusual_parent.yml;False
proc_creation_win_cmstp_execution_by_creation.yml;False
proc_creation_win_configsecuritypolicy_download_file.yml;False
proc_creation_win_conhost_legacy_option.yml;False
proc_creation_win_conhost_path_traversal.yml;False
proc_creation_win_conhost_susp_child_process.yml;True
proc_creation_win_conhost_uncommon_parent.yml;False
proc_creation_win_control_panel_item.yml;True
proc_creation_win_createdump_lolbin_execution.yml;True
proc_creation_win_csc_susp_dynamic_compilation.yml;True
proc_creation_win_csc_susp_parent.yml;False
proc_creation_win_csi_execution.yml;False
proc_creation_win_csi_use_of_csharp_console.yml;False
proc_creation_win_csvde_export.yml;False
proc_creation_win_curl_cookie_hijacking.yml;False
proc_creation_win_curl_custom_user_agent.yml;False
proc_creation_win_curl_download_direct_ip_exec.yml;False
proc_creation_win_curl_download_direct_ip_susp_extensions.yml;False
proc_creation_win_curl_download_susp_file_sharing_domains.yml;False
proc_creation_win_curl_insecure_connection.yml;False
proc_creation_win_curl_insecure_porxy_or_doh.yml;False
proc_creation_win_curl_local_file_read.yml;False
proc_creation_win_curl_susp_download.yml;True
proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml;False
proc_creation_win_defaultpack_uncommon_child_process.yml;False
proc_creation_win_desktopimgdownldr_remote_file_download.yml;False
proc_creation_win_desktopimgdownldr_susp_execution.yml;True
proc_creation_win_deviceenroller_dll_sideloading.yml;False
proc_creation_win_devinit_lolbin_usage.yml;False
proc_creation_win_dfsvc_suspicious_child_processes.yml;False
proc_creation_win_dirlister_execution.yml;True
proc_creation_win_diskshadow_child_process_susp.yml;False
proc_creation_win_diskshadow_script_mode_susp_ext.yml;False
proc_creation_win_diskshadow_script_mode_susp_location.yml;False
proc_creation_win_dllhost_no_cli_execution.yml;False
proc_creation_win_dll_sideload_vmware_xfer.yml;False
proc_creation_win_dnscmd_discovery.yml;False
proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml;False
proc_creation_win_dns_exfiltration_tools_execution.yml;False
proc_creation_win_dns_susp_child_process.yml;False
proc_creation_win_dnx_execute_csharp_code.yml;False
proc_creation_win_dotnetdump_memory_dump.yml;False
proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml;False
proc_creation_win_dotnet_trace_lolbin_execution.yml;False
proc_creation_win_driverquery_recon.yml;False
proc_creation_win_driverquery_usage.yml;False
proc_creation_win_dsacls_abuse_permissions.yml;False
proc_creation_win_dsacls_password_spray.yml;False
proc_creation_win_dsim_remove.yml;True
proc_creation_win_dsquery_domain_trust_discovery.yml;True
proc_creation_win_dtrace_kernel_dump.yml;False
proc_creation_win_dumpminitool_execution.yml;False
proc_creation_win_dumpminitool_susp_execution.yml;False
proc_creation_win_esentutl_params.yml;False
proc_creation_win_esentutl_sensitive_file_copy.yml;True
proc_creation_win_esentutl_webcache.yml;False
proc_creation_win_eventvwr_susp_child_process.yml;False
proc_creation_win_expand_cabinet_files.yml;False
proc_creation_win_explorer_break_process_tree.yml;False
proc_creation_win_explorer_lolbin_execution.yml;False
proc_creation_win_explorer_nouaccheck.yml;False
proc_creation_win_findstr_download.yml;True
proc_creation_win_findstr_gpp_passwords.yml;True
proc_creation_win_findstr_lnk.yml;False
proc_creation_win_findstr_lsass.yml;False
proc_creation_win_findstr_recon_everyone.yml;False
proc_creation_win_findstr_recon_pipe_output.yml;False
proc_creation_win_findstr_security_keyword_lookup.yml;False
proc_creation_win_findstr_subfolder_search.yml;True
proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml;True
proc_creation_win_finger_usage.yml;True
proc_creation_win_fltmc_unload_driver.yml;False
proc_creation_win_fltmc_unload_driver_sysmon.yml;True
proc_creation_win_forfiles_child_process_masquerading.yml;False
proc_creation_win_forfiles_proxy_execution_.yml;True
proc_creation_win_format_uncommon_filesystem_load.yml;False
proc_creation_win_fsi_fsharp_code_execution.yml;False
proc_creation_win_fsutil_drive_enumeration.yml;False
proc_creation_win_fsutil_symlinkevaluation.yml;True
proc_creation_win_fsutil_usage.yml;True
proc_creation_win_ftp_arbitrary_command_execution.yml;False
proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml;False
proc_creation_win_git_susp_clone.yml;False
proc_creation_win_googleupdate_susp_child_process.yml;False
proc_creation_win_gpg4win_decryption.yml;False
proc_creation_win_gpg4win_encryption.yml;False
proc_creation_win_gpg4win_portable_execution.yml;False
proc_creation_win_gpg4win_susp_location.yml;False
proc_creation_win_gpresult_execution.yml;True
proc_creation_win_gup_arbitrary_binary_execution.yml;False
proc_creation_win_gup_download.yml;False
proc_creation_win_gup_suspicious_execution.yml;True
proc_creation_win_hh_chm_execution.yml;True
proc_creation_win_hh_chm_remote_download_or_execution.yml;False
proc_creation_win_hh_html_help_susp_child_process.yml;True
proc_creation_win_hh_susp_execution.yml;False
proc_creation_win_hktl_adcspwn.yml;False
proc_creation_win_hktl_bloodhound_sharphound.yml;True
proc_creation_win_hktl_c3_rundll32_pattern.yml;False
proc_creation_win_hktl_certify.yml;False
proc_creation_win_hktl_certipy.yml;False
proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml;False
proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml;False
proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml;False
proc_creation_win_hktl_cobaltstrike_process_patterns.yml;True
proc_creation_win_hktl_coercedpotato.yml;False
proc_creation_win_hktl_covenant.yml;False
proc_creation_win_hktl_crackmapexec_execution.yml;False
proc_creation_win_hktl_crackmapexec_execution_patterns.yml;False
proc_creation_win_hktl_crackmapexec_patterns.yml;False
proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml;False
proc_creation_win_hktl_createminidump.yml;False
proc_creation_win_hktl_dinjector.yml;True
proc_creation_win_hktl_dumpert.yml;True
proc_creation_win_hktl_edrsilencer.yml;False
proc_creation_win_hktl_empire_powershell_launch.yml;False
proc_creation_win_hktl_empire_powershell_uac_bypass.yml;False
proc_creation_win_hktl_evil_winrm.yml;True
proc_creation_win_hktl_execution_via_imphashes.yml;True
proc_creation_win_hktl_execution_via_pe_metadata.yml;False
proc_creation_win_hktl_gmer.yml;False
proc_creation_win_hktl_handlekatz.yml;False
proc_creation_win_hktl_hashcat.yml;True
proc_creation_win_hktl_htran_or_natbypass.yml;False
proc_creation_win_hktl_hydra.yml;False
proc_creation_win_hktl_impacket_lateral_movement.yml;False
proc_creation_win_hktl_impacket_tools.yml;False
proc_creation_win_hktl_impersonate.yml;False
proc_creation_win_hktl_inveigh.yml;False
proc_creation_win_hktl_invoke_obfuscation_clip.yml;False
proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml;False
proc_creation_win_hktl_invoke_obfuscation_stdin.yml;False
proc_creation_win_hktl_invoke_obfuscation_var.yml;False
proc_creation_win_hktl_invoke_obfuscation_via_compress.yml;False
proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml;False
proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml;False
proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml;False
proc_creation_win_hktl_invoke_obfuscation_via_var.yml;False
proc_creation_win_hktl_jlaive_batch_execution.yml;False
proc_creation_win_hktl_koadic.yml;False
proc_creation_win_hktl_krbrelay.yml;False
proc_creation_win_hktl_krbrelayup.yml;False
proc_creation_win_hktl_localpotato.yml;False
proc_creation_win_hktl_meterpreter_getsystem.yml;True
proc_creation_win_hktl_mimikatz_command_line.yml;True
proc_creation_win_hktl_pchunter.yml;False
proc_creation_win_hktl_powersploit_empire_default_schtasks.yml;False
proc_creation_win_hktl_powertool.yml;False
proc_creation_win_hktl_purplesharp_indicators.yml;False
proc_creation_win_hktl_pypykatz.yml;True
proc_creation_win_hktl_quarks_pwdump.yml;False
proc_creation_win_hktl_redmimicry_winnti_playbook.yml;False
proc_creation_win_hktl_relay_attacks_tools.yml;True
proc_creation_win_hktl_rubeus.yml;True
proc_creation_win_hktl_safetykatz.yml;False
proc_creation_win_hktl_secutyxploded.yml;False
proc_creation_win_hktl_selectmyparent.yml;False
proc_creation_win_hktl_sharpersist.yml;False
proc_creation_win_hktl_sharpevtmute.yml;False
proc_creation_win_hktl_sharpldapwhoami.yml;False
proc_creation_win_hktl_sharpmove.yml;False
proc_creation_win_hktl_sharpup.yml;False
proc_creation_win_hktl_sharpview.yml;True
proc_creation_win_hktl_sharp_chisel.yml;False
proc_creation_win_hktl_sharp_impersonation.yml;False
proc_creation_win_hktl_sharp_ldap_monitor.yml;False
proc_creation_win_hktl_silenttrinity_stager.yml;False
proc_creation_win_hktl_sliver_c2_execution_pattern.yml;False
proc_creation_win_hktl_stracciatella_execution.yml;False
proc_creation_win_hktl_sysmoneop.yml;False
proc_creation_win_hktl_trufflesnout.yml;True
proc_creation_win_hktl_uacme.yml;True
proc_creation_win_hktl_wce.yml;False
proc_creation_win_hktl_winpeas.yml;False
proc_creation_win_hktl_winpwn.yml;False
proc_creation_win_hktl_wmiexec_default_powershell.yml;False
proc_creation_win_hktl_xordump.yml;False
proc_creation_win_hktl_zipexec.yml;False
proc_creation_win_hostname_execution.yml;True
proc_creation_win_hwp_exploits.yml;False
proc_creation_win_hxtsr_masquerading.yml;False
proc_creation_win_icacls_deny.yml;False
proc_creation_win_ieexec_download.yml;False
proc_creation_win_iexpress_susp_execution.yml;False
proc_creation_win_iis_appcmd_http_logging.yml;True
proc_creation_win_iis_appcmd_service_account_password_dumped.yml;True
proc_creation_win_iis_appcmd_susp_module_install.yml;False
proc_creation_win_iis_appcmd_susp_rewrite_rule.yml;False
proc_creation_win_iis_connection_strings_decryption.yml;False
proc_creation_win_iis_susp_module_registration.yml;False
proc_creation_win_ilasm_il_code_compilation.yml;False
proc_creation_win_imagingdevices_unusual_parents.yml;False
proc_creation_win_imewbdld_download.yml;False
proc_creation_win_infdefaultinstall_execute_sct_scripts.yml;True
proc_creation_win_installutil_download.yml;False
proc_creation_win_instalutil_no_log_execution.yml;False
proc_creation_win_java_keytool_susp_child_process.yml;False
proc_creation_win_java_manageengine_susp_child_process.yml;False
proc_creation_win_java_remote_debugging.yml;False
proc_creation_win_java_susp_child_process.yml;False
proc_creation_win_java_susp_child_process_2.yml;False
proc_creation_win_java_sysaidserver_susp_child_process.yml;False
proc_creation_win_jsc_execution.yml;True
proc_creation_win_kd_execution.yml;False
proc_creation_win_keyscrambler_susp_child_process.yml;False
proc_creation_win_ksetup_password_change_computer.yml;False
proc_creation_win_ksetup_password_change_user.yml;False
proc_creation_win_ldifde_export.yml;True
proc_creation_win_ldifde_file_load.yml;False
proc_creation_win_lodctr_performance_counter_tampering.yml;False
proc_creation_win_logman_disable_eventlog.yml;False
proc_creation_win_lolbin_customshellhost.yml;False
proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml;False
proc_creation_win_lolbin_device_credential_deployment.yml;False
proc_creation_win_lolbin_devtoolslauncher.yml;False
proc_creation_win_lolbin_diantz_ads.yml;False
proc_creation_win_lolbin_diantz_remote_cab.yml;False
proc_creation_win_lolbin_dump64.yml;False
proc_creation_win_lolbin_extexport.yml;False
proc_creation_win_lolbin_extrac32.yml;False
proc_creation_win_lolbin_extrac32_ads.yml;False
proc_creation_win_lolbin_gather_network_info.yml;False
proc_creation_win_lolbin_gpscript.yml;True
proc_creation_win_lolbin_ie4uinit.yml;True
proc_creation_win_lolbin_kavremover.yml;False
proc_creation_win_lolbin_launch_vsdevshell.yml;False
proc_creation_win_lolbin_manage_bde.yml;True
proc_creation_win_lolbin_mavinject_process_injection.yml;True
proc_creation_win_lolbin_mpiexec.yml;False
proc_creation_win_lolbin_msdeploy.yml;False
proc_creation_win_lolbin_msdt_answer_file.yml;False
proc_creation_win_lolbin_openconsole.yml;False
proc_creation_win_lolbin_openwith.yml;False
proc_creation_win_lolbin_pcalua.yml;False
proc_creation_win_lolbin_pcwrun.yml;False
proc_creation_win_lolbin_pcwrun_follina.yml;False
proc_creation_win_lolbin_pcwutl.yml;True
proc_creation_win_lolbin_pester.yml;False
proc_creation_win_lolbin_pester_1.yml;False
proc_creation_win_lolbin_printbrm.yml;True
proc_creation_win_lolbin_pubprn.yml;True
proc_creation_win_lolbin_rasautou_dll_execution.yml;False
proc_creation_win_lolbin_register_app.yml;False
proc_creation_win_lolbin_remote.yml;False
proc_creation_win_lolbin_replace.yml;True
proc_creation_win_lolbin_runexehelper.yml;False
proc_creation_win_lolbin_runscripthelper.yml;False
proc_creation_win_lolbin_scriptrunner.yml;False
proc_creation_win_lolbin_setres.yml;False
proc_creation_win_lolbin_settingsynchost.yml;False
proc_creation_win_lolbin_sftp.yml;False
proc_creation_win_lolbin_sideload_link_binary.yml;False
proc_creation_win_lolbin_sigverif.yml;False
proc_creation_win_lolbin_ssh.yml;False
proc_creation_win_lolbin_susp_acccheckconsole.yml;False
proc_creation_win_lolbin_susp_certreq_download.yml;True
proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml;True
proc_creation_win_lolbin_susp_dxcap.yml;False
proc_creation_win_lolbin_susp_grpconv.yml;False
proc_creation_win_lolbin_susp_sqldumper_activity.yml;False
proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml;False
proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml;True
proc_creation_win_lolbin_tracker.yml;False
proc_creation_win_lolbin_ttdinject.yml;False
proc_creation_win_lolbin_tttracer_mod_load.yml;False
proc_creation_win_lolbin_unregmp2.yml;False
proc_creation_win_lolbin_utilityfunctions.yml;False
proc_creation_win_lolbin_visualuiaverifynative.yml;False
proc_creation_win_lolbin_visual_basic_compiler.yml;True
proc_creation_win_lolbin_vsiisexelauncher.yml;False
proc_creation_win_lolbin_wfc.yml;False
proc_creation_win_lolbin_workflow_compiler.yml;True
proc_creation_win_lolscript_register_app.yml;False
proc_creation_win_lsass_process_clone.yml;False
proc_creation_win_mftrace_child_process.yml;False
proc_creation_win_mmc_mmc20_lateral_movement.yml;True
proc_creation_win_mmc_susp_child_process.yml;False
proc_creation_win_mode_codepage_russian.yml;False
proc_creation_win_mofcomp_execution.yml;True
proc_creation_win_mpcmdrun_dll_sideload_defender.yml;False
proc_creation_win_mpcmdrun_download_arbitrary_file.yml;True
proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml;True
proc_creation_win_msbuild_susp_parent_process.yml;False
proc_creation_win_msdt_arbitrary_command_execution.yml;False
proc_creation_win_msdt_susp_cab_options.yml;False
proc_creation_win_msdt_susp_parent.yml;False
proc_creation_win_msedge_proxy_download.yml;False
proc_creation_win_mshta_http.yml;False
proc_creation_win_mshta_inline_vbscript.yml;True
proc_creation_win_mshta_javascript.yml;True
proc_creation_win_mshta_lethalhta_technique.yml;True
proc_creation_win_mshta_susp_child_processes.yml;True
proc_creation_win_mshta_susp_execution.yml;True
proc_creation_win_mshta_susp_pattern.yml;True
proc_creation_win_msiexec_dll.yml;True
proc_creation_win_msiexec_embedding.yml;True
proc_creation_win_msiexec_execute_dll.yml;True
proc_creation_win_msiexec_install_quiet.yml;True
proc_creation_win_msiexec_install_remote.yml;False
proc_creation_win_msiexec_masquerading.yml;False
proc_creation_win_msiexec_web_install.yml;False
proc_creation_win_msohtmed_download.yml;False
proc_creation_win_mspub_download.yml;False
proc_creation_win_msra_process_injection.yml;False
proc_creation_win_mssql_sqlps_susp_execution.yml;False
proc_creation_win_mssql_sqltoolsps_susp_execution.yml;False
proc_creation_win_mssql_susp_child_process.yml;False
proc_creation_win_mssql_veaam_susp_child_processes.yml;False
proc_creation_win_mstsc_rdp_hijack_shadowing.yml;False
proc_creation_win_mstsc_remote_connection.yml;True
proc_creation_win_mstsc_run_local_rdp_file.yml;False
proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml;False
proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml;False
proc_creation_win_msxsl_execution.yml;False
proc_creation_win_msxsl_remote_execution.yml;False
proc_creation_win_netsh_fw_add_rule.yml;True
proc_creation_win_netsh_fw_allow_program_in_susp_location.yml;False
proc_creation_win_netsh_fw_allow_rdp.yml;True
proc_creation_win_netsh_fw_delete_rule.yml;False
proc_creation_win_netsh_fw_disable.yml;True
proc_creation_win_netsh_fw_enable_group_rule.yml;True
proc_creation_win_netsh_fw_rules_discovery.yml;True
proc_creation_win_netsh_fw_set_rule.yml;False
proc_creation_win_netsh_helper_dll_persistence.yml;True
proc_creation_win_netsh_packet_capture.yml;True
proc_creation_win_netsh_port_forwarding.yml;True
proc_creation_win_netsh_port_forwarding_3389.yml;False
proc_creation_win_netsh_wifi_credential_harvesting.yml;False
proc_creation_win_net_groups_and_accounts_recon.yml;True
proc_creation_win_net_share_unmount.yml;True
proc_creation_win_net_start_service.yml;True
proc_creation_win_net_stop_service.yml;False
proc_creation_win_net_user_add.yml;True
proc_creation_win_net_user_add_never_expire.yml;True
proc_creation_win_net_user_default_accounts_manipulation.yml;False
proc_creation_win_net_use_mount_admin_share.yml;False
proc_creation_win_net_use_mount_internet_share.yml;False
proc_creation_win_net_use_mount_share.yml;False
proc_creation_win_net_use_network_connections_discovery.yml;True
proc_creation_win_net_use_password_plaintext.yml;False
proc_creation_win_net_view_share_and_sessions_enum.yml;True
proc_creation_win_nltest_execution.yml;False
proc_creation_win_nltest_recon.yml;True
proc_creation_win_node_abuse.yml;False
proc_creation_win_node_adobe_creative_cloud_abuse.yml;False
proc_creation_win_nslookup_domain_discovery.yml;True
proc_creation_win_nslookup_poweshell_download.yml;True
proc_creation_win_ntdsutil_susp_usage.yml;False
proc_creation_win_ntdsutil_usage.yml;True
proc_creation_win_odbcconf_driver_install.yml;False
proc_creation_win_odbcconf_driver_install_susp.yml;False
proc_creation_win_odbcconf_exec_susp_locations.yml;False
proc_creation_win_odbcconf_register_dll_regsvr.yml;False
proc_creation_win_odbcconf_register_dll_regsvr_susp.yml;False
proc_creation_win_odbcconf_response_file.yml;True
proc_creation_win_odbcconf_response_file_susp.yml;False
proc_creation_win_odbcconf_uncommon_child_process.yml;False
proc_creation_win_office_arbitrary_cli_download.yml;True
proc_creation_win_office_excel_dcom_lateral_movement.yml;False
proc_creation_win_office_exec_from_trusted_locations.yml;False
proc_creation_win_office_onenote_susp_child_processes.yml;False
proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml;False
proc_creation_win_office_outlook_execution_from_temp.yml;False
proc_creation_win_office_outlook_susp_child_processes.yml;False
proc_creation_win_office_outlook_susp_child_processes_remote.yml;False
proc_creation_win_office_spawn_exe_from_users_directory.yml;True
proc_creation_win_office_susp_child_processes.yml;True
proc_creation_win_office_winword_dll_load.yml;False
proc_creation_win_offlinescannershell_mpclient_sideloading.yml;False
proc_creation_win_pdqdeploy_execution.yml;True
proc_creation_win_pdqdeploy_runner_susp_children.yml;False
proc_creation_win_perl_inline_command_execution.yml;False
proc_creation_win_php_inline_command_execution.yml;False
proc_creation_win_ping_hex_ip.yml;False
proc_creation_win_pktmon_execution.yml;True
proc_creation_win_plink_port_forwarding.yml;False
proc_creation_win_plink_susp_tunneling.yml;False
proc_creation_win_powercfg_execution.yml;False
proc_creation_win_powershell_aadinternals_cmdlets_execution.yml;False
proc_creation_win_powershell_active_directory_module_dll_import.yml;False
proc_creation_win_powershell_add_windows_capability.yml;False
proc_creation_win_powershell_amsi_init_failed_bypass.yml;True
proc_creation_win_powershell_amsi_null_bits_bypass.yml;False
proc_creation_win_powershell_audio_capture.yml;True
proc_creation_win_powershell_base64_encoded_cmd.yml;True
proc_creation_win_powershell_base64_encoded_cmd_patterns.yml;True
proc_creation_win_powershell_base64_encoded_obfusc.yml;False
proc_creation_win_powershell_base64_frombase64string.yml;False
proc_creation_win_powershell_base64_hidden_flag.yml;False
proc_creation_win_powershell_base64_iex.yml;False
proc_creation_win_powershell_base64_invoke.yml;False
proc_creation_win_powershell_base64_mppreference.yml;False
proc_creation_win_powershell_base64_reflection_assembly_load.yml;False
proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml;False
proc_creation_win_powershell_base64_wmi_classes.yml;False
proc_creation_win_powershell_cl_invocation.yml;False
proc_creation_win_powershell_cl_loadassembly.yml;False
proc_creation_win_powershell_cl_mutexverifiers.yml;False
proc_creation_win_powershell_cmdline_convertto_securestring.yml;True
proc_creation_win_powershell_cmdline_reversed_strings.yml;False
proc_creation_win_powershell_cmdline_special_characters.yml;True
proc_creation_win_powershell_computer_discovery_get_adcomputer.yml;False
proc_creation_win_powershell_create_service.yml;True
proc_creation_win_powershell_decode_gzip.yml;False
proc_creation_win_powershell_decrypt_pattern.yml;False
proc_creation_win_powershell_defender_disable_feature.yml;False
proc_creation_win_powershell_defender_exclusion.yml;True
proc_creation_win_powershell_disable_defender_av_security_monitoring.yml;True
proc_creation_win_powershell_disable_firewall.yml;False
proc_creation_win_powershell_disable_ie_features.yml;False
proc_creation_win_powershell_downgrade_attack.yml;True
proc_creation_win_powershell_download_com_cradles.yml;False
proc_creation_win_powershell_download_cradles.yml;True
proc_creation_win_powershell_download_dll.yml;False
proc_creation_win_powershell_download_iex.yml;True
proc_creation_win_powershell_download_patterns.yml;True
proc_creation_win_powershell_download_susp_file_sharing_domains.yml;False
proc_creation_win_powershell_email_exfil.yml;False
proc_creation_win_powershell_enable_susp_windows_optional_feature.yml;False
proc_creation_win_powershell_encode.yml;True
proc_creation_win_powershell_encoding_patterns.yml;True
proc_creation_win_powershell_exec_data_file.yml;False
proc_creation_win_powershell_export_certificate.yml;True
proc_creation_win_powershell_frombase64string.yml;True
proc_creation_win_powershell_frombase64string_archive.yml;False
proc_creation_win_powershell_getprocess_lsass.yml;True
proc_creation_win_powershell_get_clipboard.yml;False
proc_creation_win_powershell_get_localgroup_member_recon.yml;False
proc_creation_win_powershell_hide_services_via_set_service.yml;False
proc_creation_win_powershell_iex_patterns.yml;False
proc_creation_win_powershell_import_cert_susp_locations.yml;False
proc_creation_win_powershell_import_module_susp_dirs.yml;False
proc_creation_win_powershell_install_unsigned_appx_packages.yml;False
proc_creation_win_powershell_invocation_specific.yml;False
proc_creation_win_powershell_invoke_webrequest_direct_ip.yml;True
proc_creation_win_powershell_invoke_webrequest_download.yml;True
proc_creation_win_powershell_mailboxexport_share.yml;False
proc_creation_win_powershell_malicious_cmdlets.yml;False
proc_creation_win_powershell_msexchange_transport_agent.yml;True
proc_creation_win_powershell_non_interactive_execution.yml;True
proc_creation_win_powershell_obfuscation_via_utf8.yml;False
proc_creation_win_powershell_public_folder.yml;False
proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml;True
proc_creation_win_powershell_remove_mppreference.yml;False
proc_creation_win_powershell_reverse_shell_connection.yml;True
proc_creation_win_powershell_run_script_from_ads.yml;True
proc_creation_win_powershell_run_script_from_input_stream.yml;False
proc_creation_win_powershell_sam_access.yml;True
proc_creation_win_powershell_script_engine_parent.yml;True
proc_creation_win_powershell_service_dacl_modification_set_service.yml;False
proc_creation_win_powershell_set_acl.yml;True
proc_creation_win_powershell_set_acl_susp_location.yml;False
proc_creation_win_powershell_set_policies_to_unsecure_level.yml;True
proc_creation_win_powershell_set_service_disabled.yml;False
proc_creation_win_powershell_shadowcopy_deletion.yml;False
proc_creation_win_powershell_snapins_hafnium.yml;False
proc_creation_win_powershell_stop_service.yml;True
proc_creation_win_powershell_susp_child_processes.yml;True
proc_creation_win_powershell_susp_download_patterns.yml;True
proc_creation_win_powershell_susp_parameter_variation.yml;True
proc_creation_win_powershell_susp_parent_process.yml;True
proc_creation_win_powershell_susp_ps_appdata.yml;False
proc_creation_win_powershell_susp_ps_downloadfile.yml;True
proc_creation_win_powershell_token_obfuscation.yml;False
proc_creation_win_powershell_user_discovery_get_aduser.yml;False
proc_creation_win_powershell_webclient_casing.yml;False
proc_creation_win_powershell_x509enrollment.yml;False
proc_creation_win_powershell_xor_commandline.yml;True
proc_creation_win_powershell_zip_compress.yml;True
proc_creation_win_presentationhost_download.yml;False
proc_creation_win_presentationhost_uncommon_location_exec.yml;False
proc_creation_win_pressanykey_lolbin_execution.yml;False
proc_creation_win_print_remote_file_copy.yml;True
proc_creation_win_protocolhandler_download.yml;True
proc_creation_win_provlaunch_potential_abuse.yml;False
proc_creation_win_provlaunch_susp_child_process.yml;True
proc_creation_win_psr_capture_screenshots.yml;True
proc_creation_win_pua_3proxy_execution.yml;False
proc_creation_win_pua_adfind_enumeration.yml;True
proc_creation_win_pua_adfind_susp_usage.yml;True
proc_creation_win_pua_advancedrun.yml;True
proc_creation_win_pua_advancedrun_priv_user.yml;True
proc_creation_win_pua_advanced_ip_scanner.yml;False
proc_creation_win_pua_advanced_port_scanner.yml;False
proc_creation_win_pua_chisel.yml;False
proc_creation_win_pua_cleanwipe.yml;False
proc_creation_win_pua_crassus.yml;False
proc_creation_win_pua_csexec.yml;False
proc_creation_win_pua_defendercheck.yml;False
proc_creation_win_pua_ditsnap.yml;False
proc_creation_win_pua_frp.yml;False
proc_creation_win_pua_iox.yml;False
proc_creation_win_pua_mouselock_execution.yml;False
proc_creation_win_pua_netcat.yml;True
proc_creation_win_pua_netscan.yml;False
proc_creation_win_pua_ngrok.yml;True
proc_creation_win_pua_nimgrab.yml;True
proc_creation_win_pua_nircmd.yml;False
proc_creation_win_pua_nircmd_as_system.yml;False
proc_creation_win_pua_nmap_zenmap.yml;True
proc_creation_win_pua_nps.yml;False
proc_creation_win_pua_nsudo.yml;True
proc_creation_win_pua_pingcastle.yml;False
proc_creation_win_pua_pingcastle_script_parent.yml;False
proc_creation_win_pua_process_hacker.yml;False
proc_creation_win_pua_radmin.yml;True
proc_creation_win_pua_rcedit_execution.yml;False
proc_creation_win_pua_rclone_execution.yml;True
proc_creation_win_pua_runxcmd.yml;False
proc_creation_win_pua_seatbelt.yml;False
proc_creation_win_pua_system_informer.yml;False
proc_creation_win_pua_webbrowserpassview.yml;True
proc_creation_win_pua_wsudo_susp_execution.yml;False
proc_creation_win_python_adidnsdump.yml;True
proc_creation_win_python_inline_command_execution.yml;False
proc_creation_win_python_pty_spawn.yml;False
proc_creation_win_query_session_exfil.yml;False
proc_creation_win_rar_compression_with_password.yml;False
proc_creation_win_rar_compress_data.yml;True
proc_creation_win_rar_susp_greedy_compression.yml;False
proc_creation_win_rasdial_execution.yml;False
proc_creation_win_rdrleakdiag_process_dumping.yml;False
proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml;False
proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml;False
proc_creation_win_regedit_export_critical_keys.yml;False
proc_creation_win_regedit_export_keys.yml;True
proc_creation_win_regedit_import_keys.yml;True
proc_creation_win_regedit_import_keys_ads.yml;False
proc_creation_win_regedit_trustedinstaller.yml;False
proc_creation_win_regini_ads.yml;False
proc_creation_win_regini_execution.yml;False
proc_creation_win_registry_cimprovider_dll_load.yml;True
proc_creation_win_registry_enumeration_for_credentials_cli.yml;False
proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml;False
proc_creation_win_registry_install_reg_debugger_backdoor.yml;True
proc_creation_win_registry_logon_script.yml;False
proc_creation_win_registry_new_network_provider.yml;False
proc_creation_win_registry_privilege_escalation_via_service_key.yml;False
proc_creation_win_registry_provlaunch_provisioning_command.yml;True
proc_creation_win_registry_set_unsecure_powershell_policy.yml;False
proc_creation_win_registry_typed_paths_persistence.yml;False
proc_creation_win_regsvr32_flags_anomaly.yml;True
proc_creation_win_regsvr32_http_ip_pattern.yml;False
proc_creation_win_regsvr32_network_pattern.yml;False
proc_creation_win_regsvr32_remote_share.yml;False
proc_creation_win_regsvr32_susp_child_process.yml;False
proc_creation_win_regsvr32_susp_exec_path_1.yml;False
proc_creation_win_regsvr32_susp_exec_path_2.yml;True
proc_creation_win_regsvr32_susp_extensions.yml;True
proc_creation_win_regsvr32_susp_parent.yml;True
proc_creation_win_regsvr32_uncommon_extension.yml;True
proc_creation_win_reg_add_run_key.yml;True
proc_creation_win_reg_add_safeboot.yml;False
proc_creation_win_reg_bitlocker.yml;False
proc_creation_win_reg_credential_access_via_password_filter.yml;False
proc_creation_win_reg_defender_exclusion.yml;False
proc_creation_win_reg_delete_safeboot.yml;False
proc_creation_win_reg_delete_services.yml;False
proc_creation_win_reg_desktop_background_change.yml;False
proc_creation_win_reg_direct_asep_registry_keys_modification.yml;True
proc_creation_win_reg_disable_sec_services.yml;True
proc_creation_win_reg_dumping_sensitive_hives.yml;True
proc_creation_win_reg_enumeration_for_credentials_in_registry.yml;True
proc_creation_win_reg_import_from_suspicious_paths.yml;False
proc_creation_win_reg_lsa_disable_restricted_admin.yml;False
proc_creation_win_reg_lsa_ppl_protection_disabled.yml;True
proc_creation_win_reg_machineguid.yml;True
proc_creation_win_reg_modify_group_policy_settings.yml;True
proc_creation_win_reg_nolmhash.yml;False
proc_creation_win_reg_open_command.yml;True
proc_creation_win_reg_query_registry.yml;True
proc_creation_win_reg_rdp_keys_tamper.yml;True
proc_creation_win_reg_screensaver.yml;True
proc_creation_win_reg_service_imagepath_change.yml;True
proc_creation_win_reg_software_discovery.yml;True
proc_creation_win_reg_susp_paths.yml;True
proc_creation_win_reg_volsnap_disable.yml;False
proc_creation_win_reg_windows_defender_tamper.yml;True
proc_creation_win_reg_write_protect_for_storage_disabled.yml;False
proc_creation_win_remote_access_tools_anydesk.yml;True
proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml;False
proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml;False
proc_creation_win_remote_access_tools_anydesk_silent_install.yml;False
proc_creation_win_remote_access_tools_anydesk_susp_exec.yml;False
proc_creation_win_remote_access_tools_gotoopener.yml;True
proc_creation_win_remote_access_tools_logmein.yml;True
proc_creation_win_remote_access_tools_netsupport.yml;True
proc_creation_win_remote_access_tools_netsupport_susp_exec.yml;True
proc_creation_win_remote_access_tools_rurat_non_default_location.yml;False
proc_creation_win_remote_access_tools_screenconnect.yml;False
proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml;False
proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml;False
proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml;False
proc_creation_win_remote_access_tools_screenconnect_webshell.yml;False
proc_creation_win_remote_access_tools_simple_help.yml;False
proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml;False
proc_creation_win_remote_access_tools_ultraviewer.yml;True
proc_creation_win_remote_time_discovery.yml;True
proc_creation_win_renamed_adfind.yml;False
proc_creation_win_renamed_autohotkey.yml;False
proc_creation_win_renamed_autoit.yml;False
proc_creation_win_renamed_binary.yml;True
proc_creation_win_renamed_binary_highly_relevant.yml;True
proc_creation_win_renamed_browsercore.yml;False
proc_creation_win_renamed_cloudflared.yml;False
proc_creation_win_renamed_createdump.yml;False
proc_creation_win_renamed_curl.yml;False
proc_creation_win_renamed_dctask64.yml;False
proc_creation_win_renamed_ftp.yml;False
proc_creation_win_renamed_gpg4win.yml;False
proc_creation_win_renamed_jusched.yml;False
proc_creation_win_renamed_mavinject.yml;False
proc_creation_win_renamed_megasync.yml;False
proc_creation_win_renamed_msdt.yml;False
proc_creation_win_renamed_netsupport_rat.yml;True
proc_creation_win_renamed_nircmd.yml;False
proc_creation_win_renamed_office_processes.yml;False
proc_creation_win_renamed_paexec.yml;False
proc_creation_win_renamed_pingcastle.yml;False
proc_creation_win_renamed_plink.yml;False
proc_creation_win_renamed_pressanykey.yml;False
proc_creation_win_renamed_rundll32_dllregisterserver.yml;False
proc_creation_win_renamed_rurat.yml;False
proc_creation_win_renamed_sysinternals_debugview.yml;False
proc_creation_win_renamed_sysinternals_procdump.yml;True
proc_creation_win_renamed_sysinternals_psexec_service.yml;False
proc_creation_win_renamed_sysinternals_sdelete.yml;False
proc_creation_win_renamed_vmnat.yml;False
proc_creation_win_renamed_whoami.yml;False
proc_creation_win_rpcping_credential_capture.yml;False
proc_creation_win_ruby_inline_command_execution.yml;False
proc_creation_win_rundll32_ads_stored_dll_execution.yml;False
proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml;False
proc_creation_win_rundll32_by_ordinal.yml;True
proc_creation_win_rundll32_inline_vbs.yml;False
proc_creation_win_rundll32_installscreensaver.yml;True
proc_creation_win_rundll32_keymgr.yml;True
proc_creation_win_rundll32_mshtml_runhtmlapplication.yml;False
proc_creation_win_rundll32_no_params.yml;False
proc_creation_win_rundll32_ntlmrelay.yml;False
proc_creation_win_rundll32_obfuscated_ordinal_call.yml;False
proc_creation_win_rundll32_parent_explorer.yml;False
proc_creation_win_rundll32_process_dump_via_comsvcs.yml;True
proc_creation_win_rundll32_registered_com_objects.yml;True
proc_creation_win_rundll32_run_locations.yml;True
proc_creation_win_rundll32_setupapi_installhinfsection.yml;False
proc_creation_win_rundll32_shell32_susp_execution.yml;False
proc_creation_win_rundll32_shelldispatch_potential_abuse.yml;False
proc_creation_win_rundll32_spawn_explorer.yml;False
proc_creation_win_rundll32_susp_activity.yml;True
proc_creation_win_rundll32_susp_control_dll_load.yml;False
proc_creation_win_rundll32_susp_execution_with_image_extension.yml;False
proc_creation_win_rundll32_susp_shellexec_execution.yml;False
proc_creation_win_rundll32_susp_shimcache_flush.yml;False
proc_creation_win_rundll32_sys.yml;False
proc_creation_win_rundll32_uncommon_dll_extension.yml;True
proc_creation_win_rundll32_unc_path.yml;False
proc_creation_win_rundll32_user32_dll.yml;False
proc_creation_win_rundll32_webdav_client_execution.yml;True
proc_creation_win_rundll32_webdav_client_susp_execution.yml;False
proc_creation_win_rundll32_without_parameters.yml;False
proc_creation_win_runonce_execution.yml;True
proc_creation_win_schtasks_appdata_local_system.yml;False
proc_creation_win_schtasks_change.yml;False
proc_creation_win_schtasks_creation.yml;True
proc_creation_win_schtasks_creation_temp_folder.yml;False
proc_creation_win_schtasks_delete.yml;True
proc_creation_win_schtasks_delete_all.yml;False
proc_creation_win_schtasks_disable.yml;True
proc_creation_win_schtasks_env_folder.yml;True
proc_creation_win_schtasks_folder_combos.yml;False
proc_creation_win_schtasks_guid_task_name.yml;False
proc_creation_win_schtasks_one_time_only_midnight_task.yml;False
proc_creation_win_schtasks_persistence_windows_telemetry.yml;False
proc_creation_win_schtasks_powershell_persistence.yml;False
proc_creation_win_schtasks_reg_loader.yml;False
proc_creation_win_schtasks_reg_loader_encoded.yml;False
proc_creation_win_schtasks_schedule_type.yml;False
proc_creation_win_schtasks_schedule_type_system.yml;False
proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml;False
proc_creation_win_schtasks_susp_pattern.yml;False
proc_creation_win_schtasks_system.yml;False
proc_creation_win_scrcons_susp_child_process.yml;False
proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml;False
proc_creation_win_sc_create_service.yml;True
proc_creation_win_sc_disable_service.yml;False
proc_creation_win_sc_new_kernel_driver.yml;False
proc_creation_win_sc_query_interesting_services.yml;False
proc_creation_win_sc_sdset_allow_service_changes.yml;True
proc_creation_win_sc_sdset_deny_service_access.yml;True
proc_creation_win_sc_sdset_hide_sevices.yml;True
proc_creation_win_sc_sdset_modification.yml;True
proc_creation_win_sc_service_path_modification.yml;True
proc_creation_win_sc_service_tamper_for_persistence.yml;True
proc_creation_win_sc_stop_service.yml;True
proc_creation_win_sdbinst_shim_persistence.yml;True
proc_creation_win_sdbinst_susp_extension.yml;False
proc_creation_win_sdclt_child_process.yml;True
proc_creation_win_sdiagnhost_susp_child.yml;False
proc_creation_win_secedit_execution.yml;True
proc_creation_win_servu_susp_child_process.yml;False
proc_creation_win_setspn_spn_enumeration.yml;True
proc_creation_win_shutdown_execution.yml;True
proc_creation_win_shutdown_logoff.yml;True
proc_creation_win_sndvol_susp_child_processes.yml;False
proc_creation_win_soundrecorder_audio_capture.yml;False
proc_creation_win_splwow64_cli_anomaly.yml;False
proc_creation_win_spoolsv_susp_child_processes.yml;False
proc_creation_win_sqlcmd_veeam_db_recon.yml;False
proc_creation_win_sqlcmd_veeam_dump.yml;False
proc_creation_win_sqlite_chromium_profile_data.yml;False
proc_creation_win_sqlite_firefox_gecko_profile_data.yml;True
proc_creation_win_squirrel_download.yml;False
proc_creation_win_squirrel_proxy_execution.yml;False
proc_creation_win_ssh_port_forward.yml;False
proc_creation_win_ssh_rdp_tunneling.yml;False
proc_creation_win_ssm_agent_abuse.yml;False
proc_creation_win_stordiag_susp_child_process.yml;False
proc_creation_win_susp_16bit_application.yml;False
proc_creation_win_susp_abusing_debug_privilege.yml;True
proc_creation_win_susp_add_user_local_admin_group.yml;False
proc_creation_win_susp_add_user_privileged_group.yml;False
proc_creation_win_susp_add_user_remote_desktop_group.yml;True
proc_creation_win_susp_alternate_data_streams.yml;True
proc_creation_win_susp_always_install_elevated_windows_installer.yml;True
proc_creation_win_susp_appx_execution.yml;False
proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml;False
proc_creation_win_susp_archiver_iso_phishing.yml;False
proc_creation_win_susp_automated_collection.yml;True
proc_creation_win_susp_bad_opsec_sacrificial_processes.yml;True
proc_creation_win_susp_child_process_as_system_.yml;False
proc_creation_win_susp_cli_obfuscation_escape_char.yml;False
proc_creation_win_susp_cli_obfuscation_unicode.yml;True
proc_creation_win_susp_commandline_path_traversal_evasion.yml;False
proc_creation_win_susp_copy_browser_data.yml;False
proc_creation_win_susp_copy_lateral_movement.yml;True
proc_creation_win_susp_copy_system_dir.yml;True
proc_creation_win_susp_copy_system_dir_lolbin.yml;True
proc_creation_win_susp_crypto_mining_monero.yml;False
proc_creation_win_susp_data_exfiltration_via_cli.yml;False
proc_creation_win_susp_disable_raccine.yml;False
proc_creation_win_susp_double_extension.yml;True
proc_creation_win_susp_double_extension_parent.yml;False
proc_creation_win_susp_download_office_domain.yml;False
proc_creation_win_susp_dumpstack_log_evasion.yml;False
proc_creation_win_susp_elavated_msi_spawned_shell.yml;False
proc_creation_win_susp_electron_app_children.yml;False
proc_creation_win_susp_electron_execution_proxy.yml;True
proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml;False
proc_creation_win_susp_embed_exe_lnk.yml;False
proc_creation_win_susp_etw_modification_cmdline.yml;False
proc_creation_win_susp_etw_trace_evasion.yml;True
proc_creation_win_susp_eventlog_clear.yml;True
proc_creation_win_susp_eventlog_content_recon.yml;False
proc_creation_win_susp_execution_from_guid_folder_names.yml;False
proc_creation_win_susp_execution_from_public_folder_as_parent.yml;False
proc_creation_win_susp_execution_path.yml;True
proc_creation_win_susp_file_characteristics.yml;False
proc_creation_win_susp_gather_network_info_execution.yml;False
proc_creation_win_susp_hidden_dir_index_allocation.yml;False
proc_creation_win_susp_hiding_malware_in_fonts_folder.yml;False
proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml;False
proc_creation_win_susp_image_missing.yml;False
proc_creation_win_susp_inline_base64_mz_header.yml;False
proc_creation_win_susp_inline_win_api_access.yml;False
proc_creation_win_susp_local_system_owner_account_discovery.yml;True
proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml;True
proc_creation_win_susp_lsass_dmp_cli_keywords.yml;True
proc_creation_win_susp_ms_appinstaller_download.yml;False
proc_creation_win_susp_network_command.yml;True
proc_creation_win_susp_network_scan_loop.yml;True
proc_creation_win_susp_network_sniffing.yml;True
proc_creation_win_susp_non_exe_image.yml;True
proc_creation_win_susp_non_priv_reg_or_ps.yml;False
proc_creation_win_susp_ntds.yml;False
proc_creation_win_susp_nteventlogfile_usage.yml;False
proc_creation_win_susp_ntfs_short_name_path_use_cli.yml;True
proc_creation_win_susp_ntfs_short_name_path_use_image.yml;True
proc_creation_win_susp_ntfs_short_name_use_cli.yml;False
proc_creation_win_susp_ntfs_short_name_use_image.yml;False
proc_creation_win_susp_obfuscated_ip_download.yml;False
proc_creation_win_susp_obfuscated_ip_via_cli.yml;False
proc_creation_win_susp_office_token_search.yml;False
proc_creation_win_susp_parents.yml;False
proc_creation_win_susp_powershell_execution_via_dll.yml;False
proc_creation_win_susp_private_keys_recon.yml;True
proc_creation_win_susp_privilege_escalation_cli_patterns.yml;False
proc_creation_win_susp_priv_escalation_via_named_pipe.yml;False
proc_creation_win_susp_proc_wrong_parent.yml;False
proc_creation_win_susp_progname.yml;True
proc_creation_win_susp_recon.yml;True
proc_creation_win_susp_recycle_bin_fake_execution.yml;False
proc_creation_win_susp_redirect_local_admin_share.yml;False
proc_creation_win_susp_remote_desktop_tunneling.yml;False
proc_creation_win_susp_right_to_left_override.yml;False
proc_creation_win_susp_script_exec_from_env_folder.yml;False
proc_creation_win_susp_script_exec_from_temp.yml;True
proc_creation_win_susp_sensitive_file_access_shadowcopy.yml;True
proc_creation_win_susp_service_creation.yml;True
proc_creation_win_susp_service_dir.yml;False
proc_creation_win_susp_service_tamper.yml;True
proc_creation_win_susp_shadow_copies_creation.yml;True
proc_creation_win_susp_shadow_copies_deletion.yml;True
proc_creation_win_susp_shell_spawn_susp_program.yml;True
proc_creation_win_susp_sysnative.yml;False
proc_creation_win_susp_system_exe_anomaly.yml;True
proc_creation_win_susp_system_user_anomaly.yml;True
proc_creation_win_susp_sysvol_access.yml;False
proc_creation_win_susp_task_folder_evasion.yml;False
proc_creation_win_susp_userinit_child.yml;False
proc_creation_win_susp_use_of_te_bin.yml;False
proc_creation_win_susp_use_of_vsjitdebugger_bin.yml;False
proc_creation_win_susp_weak_or_abused_passwords.yml;True
proc_creation_win_susp_web_request_cmd_and_cmdlets.yml;True
proc_creation_win_susp_whoami_as_param.yml;False
proc_creation_win_susp_workfolders.yml;False
proc_creation_win_svchost_execution_with_no_cli_flags.yml;False
proc_creation_win_svchost_termserv_proc_spawn.yml;False
proc_creation_win_svchost_uncommon_parent_process.yml;True
proc_creation_win_sysinternals_accesschk_check_permissions.yml;False
proc_creation_win_sysinternals_adexplorer_execution.yml;False
proc_creation_win_sysinternals_adexplorer_susp_execution.yml;False
proc_creation_win_sysinternals_eula_accepted.yml;True
proc_creation_win_sysinternals_livekd_execution.yml;False
proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml;False
proc_creation_win_sysinternals_procdump.yml;True
proc_creation_win_sysinternals_procdump_evasion.yml;False
proc_creation_win_sysinternals_procdump_lsass.yml;True
proc_creation_win_sysinternals_psexec_execution.yml;True
proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml;False
proc_creation_win_sysinternals_psexec_remote_execution.yml;False
proc_creation_win_sysinternals_psexesvc.yml;False
proc_creation_win_sysinternals_psexesvc_as_system.yml;False
proc_creation_win_sysinternals_psloglist.yml;True
proc_creation_win_sysinternals_psservice.yml;False
proc_creation_win_sysinternals_pssuspend_execution.yml;False
proc_creation_win_sysinternals_pssuspend_susp_execution.yml;False
proc_creation_win_sysinternals_sdelete.yml;True
proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml;False
proc_creation_win_sysinternals_sysmon_config_update.yml;False
proc_creation_win_sysinternals_sysmon_uninstall.yml;True
proc_creation_win_sysinternals_tools_masquerading.yml;True
proc_creation_win_sysprep_appdata.yml;False
proc_creation_win_systeminfo_execution.yml;True
proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml;False
proc_creation_win_takeown_recursive_own.yml;True
proc_creation_win_tapinstall_execution.yml;False
proc_creation_win_tar_compression.yml;False
proc_creation_win_tar_extraction.yml;False
proc_creation_win_taskkill_sep.yml;False
proc_creation_win_tasklist_module_enumeration.yml;False
proc_creation_win_taskmgr_localsystem.yml;False
proc_creation_win_taskmgr_susp_child_process.yml;False
proc_creation_win_teams_suspicious_command_line_cred_access.yml;False
proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml;False
proc_creation_win_tscon_localsystem.yml;True
proc_creation_win_tscon_rdp_redirect.yml;False
proc_creation_win_tscon_rdp_session_hijacking.yml;False
proc_creation_win_uac_bypass_changepk_slui.yml;False
proc_creation_win_uac_bypass_cleanmgr.yml;False
proc_creation_win_uac_bypass_cmstp.yml;True
proc_creation_win_uac_bypass_cmstp_com_object_access.yml;True
proc_creation_win_uac_bypass_computerdefaults.yml;False
proc_creation_win_uac_bypass_consent_comctl32.yml;False
proc_creation_win_uac_bypass_dismhost.yml;False
proc_creation_win_uac_bypass_eventvwr_recentviews.yml;False
proc_creation_win_uac_bypass_fodhelper.yml;True
proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml;False
proc_creation_win_uac_bypass_icmluautil.yml;False
proc_creation_win_uac_bypass_idiagnostic_profile.yml;False
proc_creation_win_uac_bypass_ieinstal.yml;False
proc_creation_win_uac_bypass_msconfig_gui.yml;False
proc_creation_win_uac_bypass_ntfs_reparse_point.yml;False
proc_creation_win_uac_bypass_pkgmgr_dism.yml;False
proc_creation_win_uac_bypass_sdclt.yml;True
proc_creation_win_uac_bypass_trustedpath.yml;False
proc_creation_win_uac_bypass_winsat.yml;False
proc_creation_win_uac_bypass_wmp.yml;False
proc_creation_win_uac_bypass_wsreset.yml;False
proc_creation_win_uac_bypass_wsreset_integrity_level.yml;True
proc_creation_win_ultravnc.yml;True
proc_creation_win_ultravnc_susp_execution.yml;False
proc_creation_win_uninstall_crowdstrike_falcon.yml;True
proc_creation_win_userinit_uncommon_child_processes.yml;True
proc_creation_win_vaultcmd_list_creds.yml;True
proc_creation_win_verclsid_runs_com.yml;False
proc_creation_win_virtualbox_execution.yml;True
proc_creation_win_virtualbox_vboxdrvinst_execution.yml;False
proc_creation_win_vmware_toolbox_cmd_persistence.yml;False
proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml;False
proc_creation_win_vmware_vmtoolsd_susp_child_process.yml;False
proc_creation_win_vscode_child_processes_anomalies.yml;False
proc_creation_win_vscode_tunnel_execution.yml;False
proc_creation_win_vscode_tunnel_remote_shell_.yml;False
proc_creation_win_vscode_tunnel_renamed_execution.yml;False
proc_creation_win_vscode_tunnel_service_install.yml;False
proc_creation_win_vsdiagnostics_execution_proxy.yml;False
proc_creation_win_vslsagent_agentextensionpath_load.yml;False
proc_creation_win_w32tm.yml;True
proc_creation_win_wab_execution_from_non_default_location.yml;False
proc_creation_win_wab_unusual_parents.yml;False
proc_creation_win_wbadmin_delete_all_backups.yml;False
proc_creation_win_wbadmin_delete_backups.yml;True
proc_creation_win_wbadmin_dump_sensitive_files.yml;False
proc_creation_win_wbadmin_restore_file.yml;False
proc_creation_win_wbadmin_restore_sensitive_files.yml;False
proc_creation_win_webdav_lnk_execution.yml;False
proc_creation_win_webshell_chopper.yml;False
proc_creation_win_webshell_hacking.yml;False
proc_creation_win_webshell_recon_commands_and_processes.yml;False
proc_creation_win_webshell_susp_process_spawned_from_webserver.yml;False
proc_creation_win_webshell_tool_recon.yml;False
proc_creation_win_werfault_lsass_shtinkering.yml;False
proc_creation_win_werfault_reflect_debugger_exec.yml;False
proc_creation_win_wermgr_susp_child_process.yml;False
proc_creation_win_wermgr_susp_exec_location.yml;False
proc_creation_win_wget_download_direct_ip.yml;False
proc_creation_win_wget_download_susp_file_sharing_domains.yml;False
proc_creation_win_wget_download_susp_locations.yml;False
proc_creation_win_where_browser_data_recon.yml;True
proc_creation_win_whoami_all_execution.yml;False
proc_creation_win_whoami_execution.yml;True
proc_creation_win_whoami_execution_from_high_priv_process.yml;False
proc_creation_win_whoami_groups_discovery.yml;False
proc_creation_win_whoami_output.yml;True
proc_creation_win_whoami_parent_anomaly.yml;False
proc_creation_win_whoami_priv_discovery.yml;True
proc_creation_win_windows_terminal_susp_children.yml;False
proc_creation_win_winget_add_custom_source.yml;False
proc_creation_win_winget_add_insecure_custom_source.yml;False
proc_creation_win_winget_add_susp_custom_source.yml;False
proc_creation_win_winget_local_install_via_manifest.yml;False
proc_creation_win_winrar_exfil_dmp_files.yml;False
proc_creation_win_winrar_susp_child_process.yml;False
proc_creation_win_winrar_uncommon_folder_execution.yml;False
proc_creation_win_winrm_awl_bypass.yml;False
proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml;False
proc_creation_win_winrm_remote_powershell_session_process.yml;True
proc_creation_win_winrm_susp_child_process.yml;False
proc_creation_win_winzip_password_compression.yml;True
proc_creation_win_wlrmdr_uncommon_child_process.yml;False
proc_creation_win_wmic_eventconsumer_creation.yml;False
proc_creation_win_wmic_namespace_defender.yml;True
proc_creation_win_wmic_process_creation.yml;True
proc_creation_win_wmic_recon_computersystem.yml;False
proc_creation_win_wmic_recon_csproduct.yml;False
proc_creation_win_wmic_recon_group.yml;True
proc_creation_win_wmic_recon_hotfix.yml;False
proc_creation_win_wmic_recon_process.yml;True
proc_creation_win_wmic_recon_product.yml;False
proc_creation_win_wmic_recon_product_class.yml;False
proc_creation_win_wmic_recon_service.yml;False
proc_creation_win_wmic_recon_system_info_uncommon.yml;True
proc_creation_win_wmic_recon_unquoted_service_search.yml;False
proc_creation_win_wmic_recon_volume.yml;False
proc_creation_win_wmic_remote_execution.yml;True
proc_creation_win_wmic_service_manipulation.yml;False
proc_creation_win_wmic_squiblytwo_bypass.yml;True
proc_creation_win_wmic_susp_execution_via_office_process.yml;False
proc_creation_win_wmic_susp_process_creation.yml;True
proc_creation_win_wmic_terminate_application.yml;False
proc_creation_win_wmic_uninstall_application.yml;True
proc_creation_win_wmic_uninstall_security_products.yml;False
proc_creation_win_wmic_xsl_script_processing.yml;True
proc_creation_win_wmiprvse_spawning_process.yml;True
proc_creation_win_wmiprvse_spawns_powershell.yml;True
proc_creation_win_wmiprvse_susp_child_processes.yml;True
proc_creation_win_wmi_backdoor_exchange_transport_agent.yml;False
proc_creation_win_wmi_persistence_script_event_consumer.yml;False
proc_creation_win_wpbbin_potential_persistence.yml;False
proc_creation_win_wscript_cscript_dropper.yml;True
proc_creation_win_wscript_cscript_susp_child_processes.yml;False
proc_creation_win_wscript_cscript_uncommon_extension_exec.yml;False
proc_creation_win_wsl_child_processes_anomalies.yml;False
proc_creation_win_wsl_lolbin_execution.yml;False
proc_creation_win_wsl_windows_binaries_execution.yml;False
proc_creation_win_wuauclt_dll_loading.yml;True
proc_creation_win_wuauclt_no_cli_flags_execution.yml;False
proc_creation_win_wusa_cab_files_extraction.yml;False
proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml;False
proc_creation_win_wusa_susp_parent_execution.yml;False
proc_creation_win_xwizard_execution_non_default_location.yml;False
proc_creation_win_xwizard_runwizard_com_object_exec.yml;False
proc_tampering_susp_process_hollowing.yml;False
raw_access_thread_susp_disk_access_using_uncommon_tools.yml;True
registry_add_malware_netwire.yml;False
registry_add_malware_ursnif.yml;False
registry_add_persistence_amsi_providers.yml;False
registry_add_persistence_com_key_linking.yml;False
registry_add_persistence_disk_cleanup_handler_entry.yml;False
registry_add_persistence_logon_scripts_userinitmprlogonscript.yml;True
registry_add_pua_sysinternals_execution_via_eula.yml;True
registry_add_pua_sysinternals_renamed_execution_via_eula.yml;False
registry_add_pua_sysinternals_susp_execution_via_eula.yml;False
registry_delete_exploit_guard_protected_folders.yml;False
registry_delete_mstsc_history_cleared.yml;True
registry_delete_removal_amsi_registry_key.yml;True
registry_delete_removal_com_hijacking_registry_key.yml;False
registry_delete_schtasks_hide_task_via_index_value_removal.yml;False
registry_delete_schtasks_hide_task_via_sd_value_removal.yml;False
registry_event_add_local_hidden_user.yml;False
registry_event_apt_leviathan.yml;False
registry_event_apt_oceanlotus_registry.yml;False
registry_event_apt_oilrig_mar18.yml;False
registry_event_apt_pandemic.yml;False
registry_event_bypass_via_wsreset.yml;False
registry_event_cmstp_execution_by_registry.yml;True
registry_event_disable_security_events_logging_adding_reg_key_minint.yml;False
registry_event_disable_wdigest_credential_guard.yml;False
registry_event_esentutl_volume_shadow_copy_service_keys.yml;False
registry_event_hack_wce_reg.yml;False
registry_event_hybridconnectionmgr_svc_installation.yml;False
registry_event_malware_qakbot_registry.yml;False
registry_event_mal_azorult.yml;False
registry_event_mimikatz_printernightmare.yml;False
registry_event_modify_screensaver_binary_path.yml;False
registry_event_narrator_feedback_persistance.yml;False
registry_event_net_ntlm_downgrade.yml;True
registry_event_new_dll_added_to_appcertdlls_registry_key.yml;False
registry_event_new_dll_added_to_appinit_dlls_registry_key.yml;False
registry_event_office_test_regadd.yml;False
registry_event_office_trust_record_modification.yml;True
registry_event_persistence_recycle_bin.yml;True
registry_event_portproxy_registry_key.yml;False
registry_event_redmimicry_winnti_reg.yml;False
registry_event_runkey_winekey.yml;False
registry_event_runonce_persistence.yml;False
registry_event_shell_open_keys_manipulation.yml;True
registry_event_silentprocessexit_lsass.yml;False
registry_event_ssp_added_lsa_config.yml;True
registry_event_stickykey_like_backdoor.yml;True
registry_event_susp_atbroker_change.yml;True
registry_event_susp_download_run_key.yml;False
registry_event_susp_lsass_dll_load.yml;True
registry_event_susp_mic_cam_access.yml;True
registry_set_enable_anonymous_connection.yml;False
registry_set_add_load_service_in_safe_mode.yml;True
registry_set_add_port_monitor.yml;True
registry_set_aedebug_persistence.yml;False
registry_set_allow_rdp_remote_assistance_feature.yml;True
registry_set_amsi_com_hijack.yml;True
registry_set_asep_reg_keys_modification_classes.yml;False
registry_set_asep_reg_keys_modification_common.yml;True
registry_set_asep_reg_keys_modification_currentcontrolset.yml;True
registry_set_asep_reg_keys_modification_currentversion.yml;True
registry_set_asep_reg_keys_modification_currentversion_nt.yml;True
registry_set_asep_reg_keys_modification_internet_explorer.yml;False
registry_set_asep_reg_keys_modification_office.yml;True
registry_set_asep_reg_keys_modification_session_manager.yml;True
registry_set_asep_reg_keys_modification_system_scripts.yml;False
registry_set_asep_reg_keys_modification_winsock2.yml;False
registry_set_asep_reg_keys_modification_wow6432node.yml;False
registry_set_asep_reg_keys_modification_wow6432node_classes.yml;False
registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml;False
registry_set_bginfo_custom_db.yml;False
registry_set_bginfo_custom_vbscript.yml;False
registry_set_bginfo_custom_wmi_query.yml;False
registry_set_blackbyte_ransomware.yml;True
registry_set_bypass_uac_using_delegateexecute.yml;True
registry_set_bypass_uac_using_eventviewer.yml;True
registry_set_bypass_uac_using_silentcleanup_task.yml;True
registry_set_change_rdp_port.yml;True
registry_set_change_security_zones.yml;True
registry_set_change_sysmon_driver_altitude.yml;False
registry_set_change_winevt_channelaccess.yml;False
registry_set_chrome_extension.yml;True
registry_set_clickonce_trust_prompt.yml;False
registry_set_cobaltstrike_service_installs.yml;False
registry_set_comhijack_sdclt.yml;False
registry_set_crashdump_disabled.yml;False
registry_set_creation_service_susp_folder.yml;True
registry_set_custom_file_open_handler_powershell_execution.yml;False
registry_set_dbgmanageddebugger_persistence.yml;False
registry_set_defender_exclusions.yml;True
registry_set_desktop_background_change.yml;False
registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml;True
registry_set_dhcp_calloutdll.yml;False
registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml;False
registry_set_disabled_microsoft_defender_eventlog.yml;False
registry_set_disabled_pua_protection_on_microsoft_defender.yml;False
registry_set_disabled_tamper_protection_on_microsoft_defender.yml;False
registry_set_disable_administrative_share.yml;True
registry_set_disable_autologger_sessions.yml;False
registry_set_disable_defender_firewall.yml;True
registry_set_disable_function_user.yml;True
registry_set_disable_macroruntimescanscope.yml;False
registry_set_disable_privacy_settings_experience.yml;True
registry_set_disable_security_center_notifications.yml;True
registry_set_disable_system_restore.yml;True
registry_set_disable_windows_defender_service.yml;False
registry_set_disable_windows_firewall.yml;True
registry_set_disable_winevt_logging.yml;True
registry_set_disallowrun_execution.yml;True
registry_set_disk_cleanup_handler_autorun_persistence.yml;False
registry_set_dns_over_https_enabled.yml;False
registry_set_dns_server_level_plugin_dll.yml;False
registry_set_dot_net_etw_tamper.yml;True
registry_set_enabling_cor_profiler_env_variables.yml;True
registry_set_enabling_turnoffcheck.yml;False
registry_set_evtx_file_key_tamper.yml;False
registry_set_exploit_guard_susp_allowed_apps.yml;False
registry_set_fax_change_service_user.yml;False
registry_set_fax_dll_persistance.yml;False
registry_set_file_association_exefile.yml;False
registry_set_hangs_debugger_persistence.yml;False
registry_set_hhctrl_persistence.yml;False
registry_set_hidden_extention.yml;True
registry_set_hide_file.yml;True
registry_set_hide_function_user.yml;True
registry_set_hide_scheduled_task_via_index_tamper.yml;False
registry_set_ie_security_zone_protocol_defaults_downgrade.yml;False
registry_set_ime_non_default_extension.yml;False
registry_set_ime_suspicious_paths.yml;False
registry_set_install_root_or_ca_certificat.yml;True
registry_set_internet_explorer_disable_first_run_customize.yml;False
registry_set_legalnotice_susp_message.yml;True
registry_set_lolbin_onedrivestandaloneupdater.yml;False
registry_set_lsass_usermode_dumping.yml;False
registry_set_lsa_disablerestrictedadmin.yml;True
registry_set_mal_blue_mockingbird.yml;False
registry_set_netsh_helper_dll_potential_persistence.yml;False
registry_set_netsh_help_dll_persistence_susp_location.yml;False
registry_set_net_cli_ngenassemblyusagelog.yml;False
registry_set_new_application_appcompat.yml;False
registry_set_new_network_provider.yml;False
registry_set_odbc_driver_registered.yml;False
registry_set_odbc_driver_registered_susp.yml;False
registry_set_office_access_vbom_tamper.yml;False
registry_set_office_disable_protected_view_features.yml;True
registry_set_office_enable_dde.yml;False
registry_set_office_outlook_enable_load_macro_provider_on_boot.yml;False
registry_set_office_outlook_enable_macro_execution.yml;False
registry_set_office_outlook_enable_unsafe_client_mail_rules.yml;False
registry_set_office_outlook_security_settings.yml;True
registry_set_office_trusted_location_uncommon.yml;False
registry_set_office_trust_record_susp_location.yml;True
registry_set_office_vba_warnings_tamper.yml;False
registry_set_optimize_file_sharing_network.yml;False
registry_set_persistence_appx_debugger.yml;False
registry_set_persistence_app_cpmpat_layer_registerapprestart.yml;False
registry_set_persistence_app_paths.yml;False
registry_set_persistence_autodial_dll.yml;True
registry_set_persistence_chm.yml;False
registry_set_persistence_comhijack_psfactorybuffer.yml;False
registry_set_persistence_com_hijacking_susp_locations.yml;False
registry_set_persistence_custom_protocol_handler.yml;False
registry_set_persistence_event_viewer_events_asp.yml;True
registry_set_persistence_globalflags.yml;True
registry_set_persistence_ie.yml;True
registry_set_persistence_ifilter.yml;False
registry_set_persistence_lsa_extension.yml;False
registry_set_persistence_mpnotify.yml;False
registry_set_persistence_mycomputer.yml;False
registry_set_persistence_natural_language.yml;False
registry_set_persistence_office_vsto.yml;True
registry_set_persistence_outlook_homepage.yml;True
registry_set_persistence_outlook_todaypage.yml;False
registry_set_persistence_reflectdebugger.yml;False
registry_set_persistence_scrobj_dll.yml;True
registry_set_persistence_search_order.yml;True
registry_set_persistence_shim_database.yml;True
registry_set_persistence_shim_database_susp_application.yml;False
registry_set_persistence_shim_database_uncommon_location.yml;False
registry_set_persistence_typed_paths.yml;False
registry_set_persistence_xll.yml;False
registry_set_policies_associations_tamper.yml;False
registry_set_policies_attachments_tamper.yml;False
registry_set_powershell_as_service.yml;True
registry_set_powershell_enablescripts_enabled.yml;False
registry_set_powershell_execution_policy.yml;False
registry_set_powershell_in_run_keys.yml;True
registry_set_powershell_logging_disabled.yml;True
registry_set_provisioning_command_abuse.yml;False
registry_set_renamed_sysinternals_eula_accepted.yml;False
registry_set_rpcrt4_etw_tamper.yml;False
registry_set_scr_file_executed_by_rundll32.yml;False
registry_set_sentinelone_shell_context_tampering.yml;False
registry_set_servicedll_hijack.yml;True
registry_set_services_etw_tamper.yml;False
registry_set_set_nopolicies_user.yml;True
registry_set_sip_persistence.yml;True
registry_set_sophos_av_tamper.yml;False
registry_set_special_accounts.yml;True
registry_set_suppress_defender_notifications.yml;True
registry_set_suspicious_env_variables.yml;False
registry_set_susp_keyboard_layout_load.yml;False
registry_set_susp_pendingfilerenameoperations.yml;False
registry_set_susp_printer_driver.yml;False
registry_set_susp_reg_persist_explorer_run.yml;False
registry_set_susp_run_key_img_folder.yml;True
registry_set_susp_service_installed.yml;False
registry_set_susp_user_shell_folders.yml;True
registry_set_system_lsa_nolmhash.yml;False
registry_set_taskcache_entry.yml;False
registry_set_telemetry_persistence.yml;False
registry_set_terminal_server_suspicious.yml;True
registry_set_terminal_server_tampering.yml;True
registry_set_timeproviders_dllname.yml;True
registry_set_tls_protocol_old_version_enabled.yml;False
registry_set_treatas_persistence.yml;True
registry_set_turn_on_dev_features.yml;False
registry_set_uac_bypass_eventvwr.yml;False
registry_set_uac_bypass_sdclt.yml;False
registry_set_uac_bypass_winsat.yml;False
registry_set_uac_bypass_wmp.yml;False
registry_set_uac_disable.yml;True
registry_set_uac_disable_notification.yml;True
registry_set_uac_disable_secure_desktop_prompt.yml;False
registry_set_vbs_payload_stored.yml;False
registry_set_wab_dllpath_reg_change.yml;False
registry_set_wdigest_enable_uselogoncredential.yml;True
registry_set_windows_defender_tamper.yml;True
registry_set_winget_admin_settings_tampering.yml;False
registry_set_winget_enable_local_manifest.yml;False
registry_set_winlogon_allow_multiple_tssessions.yml;False
registry_set_winlogon_notify_key.yml;True
sysmon_config_modification.yml;False
sysmon_config_modification_error.yml;False
sysmon_config_modification_status.yml;False
sysmon_file_block_executable.yml;False
sysmon_file_block_shredding.yml;False
sysmon_file_executable_detected.yml;False
sysmon_wmi_event_subscription.yml;True
sysmon_wmi_susp_encoded_scripts.yml;False
sysmon_wmi_susp_scripting.yml;True
web_cve_2010_5278_exploitation_attempt.yml;False
web_cve_2014_6287_hfs_rce.yml;False
proc_creation_win_apt_zxshell.yml;False
proc_creation_win_apt_turla_commands_critical.yml;False
proc_creation_win_apt_turla_comrat_may20.yml;False
proc_creation_win_exploit_cve_2015_1641.yml;False
proc_creation_win_exploit_cve_2017_0261.yml;False
proc_creation_win_exploit_cve_2017_11882.yml;False
proc_creation_win_exploit_cve_2017_8759.yml;False
proc_creation_win_malware_adwind.yml;False
win_security_mal_cosmik_duke_persistence.yml;False
proc_creation_win_malware_fireball.yml;False
proc_access_win_malware_verclsid_shellcode.yml;False
proc_creation_win_malware_notpetya.yml;False
proc_creation_win_malware_plugx_susp_exe_locations.yml;False
win_system_apt_stonedrill.yml;False
proc_creation_win_malware_wannacry.yml;True
proc_creation_win_apt_apt10_cloud_hopper.yml;False
proc_creation_win_apt_ta17_293a_ps.yml;False
net_firewall_apt_equationgroup_c2.yml;False
proc_creation_win_apt_lazarus_binary_masquerading.yml;False
pipe_created_apt_turla_named_pipes.yml;False
win_system_apt_carbonpaper_turla.yml;False
win_system_apt_turla_service_png.yml;False
web_cve_2018_13379_fortinet_preauth_read_exploit.yml;False
web_cve_2018_2894_weblogic_exploit.yml;False
proc_creation_win_malware_elise.yml;False
proc_creation_win_apt_apt27_emissary_panda.yml;False
proc_creation_win_apt_sofacy.yml;False
file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml;False
proc_creation_win_apt_apt29_phishing_campaign_indicators.yml;False
proc_creation_win_apt_muddywater_activity.yml;False
proc_creation_win_apt_oilrig_mar18.yml;False
win_security_apt_oilrig_mar18.yml;False
win_system_apt_oilrig_mar18.yml;False
proc_creation_win_apt_slingshot.yml;False
win_security_apt_slingshot.yml;False
proc_creation_win_apt_tropictrooper.yml;False
proc_creation_win_exploit_other_bearlpe.yml;False
web_cve_2019_11510_pulsesecure_exploit.yml;False
proc_creation_win_exploit_cve_2019_1378.yml;False
proc_creation_win_exploit_cve_2019_1388.yml;False
web_cve_2019_19781_citrix_exploit.yml;False
web_cve_2019_3398_confluence.yml;False
proc_creation_win_malware_babyshark.yml;False
proxy_malware_chafer_url_pattern.yml;False
proc_creation_win_malware_dridex.yml;False
proc_creation_win_malware_dtrack.yml;False
proc_creation_win_malware_emotet.yml;False
proc_creation_win_malware_formbook.yml;False
proc_creation_win_malware_lockergoga_ransomware.yml;False
proc_creation_win_malware_qbot.yml;False
proc_creation_win_malware_ryuk.yml;False
proc_creation_win_malware_snatch_ransomware.yml;False
proxy_malware_ursnif_c2_url.yml;False
proxy_malware_ursnif_download_url.yml;False
proc_creation_win_apt_aptc12_bluemushroom.yml;True
proc_creation_win_apt_apt31_judgement_panda.yml;False
proxy_apt_apt40_dropbox_tool_ua.yml;False
proc_creation_win_apt_bear_activity_gtr19.yml;False
proc_creation_win_apt_empiremonkey.yml;False
proc_creation_win_apt_equationgroup_dll_u_load.yml;False
proc_creation_win_apt_mustangpanda.yml;False
proc_creation_win_apt_wocao.yml;True
win_security_apt_wocao.yml;False
web_cve_2020_0688_exchange_exploit.yml;False
web_cve_2020_0688_msexchange.yml;False
win_vul_cve_2020_0688.yml;False
web_cve_2020_10148_solarwinds_exploit.yml;False
proc_creation_win_exploit_cve_2020_10189.yml;False
proc_creation_win_exploit_cve_2020_1048.yml;False
registry_set_exploit_cve_2020_1048_new_printer_port.yml;False
proc_creation_win_exploit_cve_2020_1350.yml;False
web_cve_2020_14882_weblogic_exploit.yml;False
web_cve_2020_28188_terramaster_rce_exploit.yml;False
web_cve_2020_3452_cisco_asa_ftd.yml;False
web_cve_2020_5902_f5_bigip.yml;False
web_cve_2020_8193_8195_citrix_exploit.yml;False
proc_creation_win_malware_blue_mockingbird.yml;False
proxy_malware_comrat_network_indicators.yml;False
proc_creation_win_malware_emotet_rundll32_execution.yml;False
registry_event_malware_flowcloud_markers.yml;False
proc_creation_win_malware_ke3chang_tidepool.yml;False
proc_creation_win_malware_maze_ransomware.yml;False
proc_creation_win_malware_trickbot_wermgr.yml;False
proc_creation_win_apt_evilnum_jul20.yml;False
proc_creation_win_apt_gallium_iocs.yml;False
win_dns_analytic_apt_gallium.yml;False
proc_creation_win_apt_greenbug_may20.yml;False
proc_creation_win_apt_lazarus_group_activity.yml;False
proc_creation_win_apt_unc2452_cmds.yml;True
proc_creation_win_apt_unc2452_ps.yml;False
proc_creation_win_apt_unc2452_vbscript_pattern.yml;False
web_solarwinds_supernova_webshell.yml;False
proc_creation_win_apt_taidoor.yml;False
proc_creation_win_apt_winnti_mal_hk_jan20.yml;False
proc_creation_win_apt_winnti_pipemon.yml;False
file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml;False
registry_set_cve_2021_31979_cve_2021_33771_exploits.yml;False
web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml;False
win_exchange_cve_2021_42321.yml;False
av_printernightmare_cve_2021_34527.yml;False
file_event_win_cve_2021_1675_printspooler.yml;False
win_exploit_cve_2021_1675_printspooler.yml;False
win_exploit_cve_2021_1675_printspooler_operational.yml;False
win_security_exploit_cve_2021_1675_printspooler_security.yml;False
web_cve_2021_2109_weblogic_rce_exploit.yml;False
web_cve_2021_21972_vsphere_unauth_rce_exploit.yml;False
web_cve_2021_21978_vmware_view_planner_exploit.yml;False
web_cve_2021_22005_vmware_file_upload.yml;False
web_cve_2021_22123_fortinet_exploit.yml;False
web_cve_2021_22893_pulse_secure_rce_exploit.yml;False
proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml;False
web_cve_2021_26084_confluence_rce_exploit.yml;False
web_cve_2021_26814_wzuh_rce.yml;False
proc_creation_win_exploit_cve_2021_26857_msexchange.yml;False
file_event_win_cve_2021_26858_msexchange.yml;False
web_cve_2021_26858_iis_rce.yml;False
web_cve_2021_27905_apache_solr_exploit.yml;False
web_cve_2021_28480_exchange_exploit.yml;False
web_cve_2021_33766_msexchange_proxytoken.yml;False
proc_creation_win_exploit_cve_2021_35211_servu.yml;False
file_event_win_exploit_cve_2021_40444.yml;False
proc_creation_win_exploit_cve_2021_40444.yml;False
proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml;False
web_cve_2021_40539_adselfservice.yml;False
web_cve_2021_40539_manageengine_adselfservice_exploit.yml;False
file_event_win_cve_2021_41379_msi_lpe.yml;False
proc_creation_win_exploit_cve_2021_41379.yml;False
win_vul_cve_2021_41379.yml;False
web_cve_2021_41773_apache_path_traversal.yml;False
web_cve_2021_42237_sitecore_report_ashx.yml;False
win_system_exploit_cve_2021_42278.yml;False
win_security_samaccountname_spoofing_cve_2021_42287.yml;False
web_cve_2021_43798_grafana.yml;False
file_event_win_cve_2021_44077_poc_default_files.yml;False
web_cve_2021_44228_log4j.yml;False
web_cve_2021_44228_log4j_fields.yml;False
web_exchange_proxyshell.yml;False
web_exchange_proxyshell_successful.yml;False
proc_creation_win_exploit_other_razorinstaller_lpe.yml;False
proc_creation_win_exploit_other_systemnightmare.yml;False
web_sonicwall_jarrewrite_exploit.yml;False
proc_creation_win_malware_blackbyte_ransomware.yml;True
proc_creation_win_malware_conti.yml;False
proc_creation_win_malware_conti_7zip.yml;False
proc_creation_win_malware_conti_ransomware_commands.yml;False
proc_creation_win_malware_conti_ransomware_database_dump.yml;False
proc_creation_win_malware_darkside_ransomware.yml;False
file_event_win_malware_devil_bait_script_drop.yml;False
proc_creation_win_malware_devil_bait_output_redirect.yml;False
proxy_malware_devil_bait_c2_communication.yml;False
image_load_malware_foggyweb_nobelium.yml;False
file_event_win_malware_goofy_guineapig_file_indicators.yml;False
proc_creation_win_malware_goofy_guineapig_broken_cmd.yml;False
proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml;False
proxy_malware_goofy_gunieapig_c2_communication.yml;False
win_system_malware_goofy_guineapig_service_persistence.yml;False
file_event_win_moriya_rootkit.yml;False
file_event_win_malware_pingback_backdoor.yml;False
image_load_malware_pingback_backdoor.yml;False
proc_creation_win_malware_pingback_backdoor.yml;False
file_event_win_malware_small_sieve_evasion_typo.yml;False
proc_creation_win_malware_small_sieve_cli_arg.yml;False
proxy_malware_small_sieve_telegram_communication.yml;False
registry_set_malware_small_sieve_evasion_typo.yml;False
proc_creation_win_apt_hafnium.yml;False
web_exchange_exploitation_hafnium.yml;False
proc_creation_win_apt_revil_kaseya.yml;False
image_load_usp_svchost_clfsw32.yml;False
proc_creation_win_apt_sourgrum.yml;False
web_unc2546_dewmode_php_webshell.yml;False
proc_creation_win_exploit_cve_2023_21554_queuejumper.yml;False
web_cve_2022_21587_oracle_ebs.yml;False
file_event_win_cve_2022_24527_lpe.yml;False
proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml;False
web_cve_2022_27925_exploit.yml;False
proc_creation_win_exploit_cve_2022_29072_7zip.yml;False
registry_set_exploit_cve_2022_30190_msdt_follina.yml;False
web_cve_2022_31656_auth_bypass.yml;False
web_cve_2022_31659_vmware_rce.yml;False
web_cve_2022_33891_spark_shell_command_injection.yml;False
web_cve_2022_36804_atlassian_bitbucket_command_injection.yml;False
proxy_cve_2022_36804_exchange_owassrf_exploitation.yml;False
proxy_cve_2022_36804_exchange_owassrf_poc_exploitation.yml;False
web_cve_2022_36804_exchange_owassrf_exploitation.yml;False
web_cve_2022_36804_exchange_owassrf_poc_exploitation.yml;False
proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml;False
fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml;False
web_cve_2022_44877_exploitation_attempt.yml;False
web_cve_2022_46169_cacti_exploitation_attempt.yml;False
win_mssql_sp_maggie.yml;False
win_security_malware_bluesky_ransomware_files_indicators.yml;False
create_remote_thread_win_malware_bumblebee.yml;False
proc_creation_win_malware_hermetic_wiper_activity.yml;False
proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml;False
proc_creation_win_apt_actinium_persistence.yml;False
proc_creation_win_apt_mercury.yml;False
win_msmq_corrupted_packet.yml;False
cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml;False
proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml;False
proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml;False
proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml;False
web_exploit_cve_2023_22518_confluence_auth_bypass.yml;False
lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml;False
registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml;False
win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml;False
win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml;False
web_cve_2023_23752_joomla_exploit_attempt.yml;False
web_cve_2023_25157_geoserver_sql_injection.yml;False
web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml;False
file_event_win_cve_2023_27363_foxit_rce.yml;False
web_cve_2023_27997_pre_authentication_rce.yml;False
file_event_win_exploit_cve_2023_34362_moveit_transfer.yml;False
web_cve_2023_34362_known_payload_request.yml.yml;False
file_event_win_exploit_cve_2023_36874_report_creation.yml;False
file_event_win_exploit_cve_2023_36874_wermgr_creation.yml;False
proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml;False
file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml;False
proxy_exploit_cve_2023_36884_office_windows_html_rce.yml;False
proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml;False
proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml;False
proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml;False
win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml;False
file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml;False
proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml;False
file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml;False
win_application_exploit_cve_2023_40477_winrar_crash.yml;False
proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml;False
web_exploit_cve_2023_43261_milesight_information_disclosure.yml;False
web_cve_2023_46214_rce_splunk_enterprise.yml;False
web_cve_2023_46214_rce_splunk_enterprise_poc.yml;False
proxy_cve_2023_46747_f5_remote_code_execution.yml;False
web_cve_2023_46747_f5_remote_code_execution.yml;False
proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml;False
proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml;False
web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml;False
web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml;False
proc_creation_win_exploit_other_win_server_undocumented_rce.yml;False
dns_query_win_malware_socgholish_second_stage_c2.yml;False
file_event_win_malware_coldsteel_renamed_cmd.yml;False
file_event_win_malware_coldsteel_service_dll_creation.yml;False
image_load_malware_coldsteel_persistence_service_dll.yml;False
proc_creation_win_malware_coldsteel_anonymous_process.yml;False
proc_creation_win_malware_coldsteel_cleanup.yml;False
proc_creation_win_malware_coldsteel_service_persistence.yml;False
registry_set_malware_coldsteel_created_users.yml;False
win_system_malware_coldsteel_persistence_service.yml;False
file_event_win_malware_darkgate_autoit3_binary_creation.yml;False
proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml;False
proc_creation_win_malware_darkgate_net_user_creation.yml;False
proc_creation_win_malware_griffon_patterns.yml;False
proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml;False
net_connection_win_malware_pikabot_rundll32_activity.yml;False
proc_creation_win_malware_pikabot_combined_commands_execution.yml;False
proc_creation_win_malware_pikabot_discovery.yml;False
proc_creation_win_malware_pikabot_rundll32_hollowing.yml;False
proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml;False
proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml;False
proc_creation_win_malware_qakbot_rundll32_execution.yml;False
proc_creation_win_malware_qakbot_rundll32_exports.yml;False
proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml;False
proc_creation_win_malware_qakbot_uninstaller_cleanup.yml;False
proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml;False
proc_creation_win_malware_rorschach_ransomware_activity.yml;False
file_event_win_malware_snake_encrypted_payload_ioc.yml;True
file_event_win_malware_snake_installers_ioc.yml;False
file_event_win_malware_snake_werfault_creation.yml;False
proc_creation_win_malware_snake_installer_cli_args.yml;False
proc_creation_win_malware_snake_installer_exec.yml;False
proc_creation_win_malware_snake_service_execution.yml;False
registry_event_malware_snake_covert_store_key.yml;False
registry_set_malware_snake_encrypted_key.yml;False
win_system_malware_snake_persistence_service.yml;False
dns_query_win_malware_3cx_compromise.yml;False
image_load_malware_3cx_compromise_susp_dll.yml;False
net_connection_win_malware_3cx_compromise_beaconing_activity.yml;False
proc_creation_win_malware_3cx_compromise_execution.yml;False
proc_creation_win_malware_3cx_compromise_susp_children.yml;False
proc_creation_win_malware_3cx_compromise_susp_update.yml;False
proxy_malware_3cx_compromise_c2_beacon_activity.yml;False
proxy_malware_3cx_compromise_susp_ico_requests.yml;False
image_load_apt_cozy_bear_graphical_proton_dlls.yml;False
win_security_apt_cozy_bear_scheduled_tasks_name.yml;False
win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml;False
dns_query_win_apt_diamond_steel_indicators.yml;False
file_event_win_apt_diamond_sleet_indicators.yml;False
image_load_apt_diamond_sleet_side_load.yml;False
proc_creation_win_apt_diamond_sleet_indicators.yml;False
registry_event_apt_diamond_sleet_scheduled_task.yml;False
win_security_apt_diamond_sleet_scheduled_task.yml;False
net_dns_apt_equation_group_triangulation_c2_coms.yml;False
proxy_apt_equation_group_triangulation_c2_coms.yml;False
file_event_win_apt_fin7_powershell_scripts_naming_convention.yml;False
posh_ps_apt_fin7_powerhold.yml;False
posh_ps_apt_fin7_powertrash_execution.yml;False
proc_creation_win_apt_fin7_powertrash_lateral_movement.yml;False
file_event_win_apt_lace_tempest_indicators.yml;False
posh_ps_apt_lace_tempest_eraser_script.yml;False
posh_ps_apt_lace_tempest_malware_launcher.yml;False
proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml;False
proc_creation_win_apt_lace_tempest_loader_execution.yml;False
image_load_apt_lazarus_side_load_activity.yml;False
proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml;False
proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml;False
proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml;False
proc_creation_win_apt_mustang_panda_indicators.yml;False
okta_apt_suspicious_user_creation.yml;False
file_event_win_apt_onyx_sleet_indicators.yml;False
proc_creation_win_papercut_print_management_exploitation_indicators.yml;False
proc_creation_win_papercut_print_management_exploitation_pc_app.yml;False
proc_creation_win_apt_peach_sandstorm_indicators.yml;False
proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml;False
file_event_lnx_apt_unc4841_exfil_mail_pattern.yml;False
file_event_lnx_apt_unc4841_file_indicators.yml;False
proc_creation_lnx_apt_unc4841_openssl_connection.yml;False
proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml;False
proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml;False
proc_creation_lnx_atp_unc4841_seaspy_execution.yml;False
web_exploit_cve_2024_1212_.yml;False
file_event_win_exploit_cve_2024_1708_screenconnect.yml;False
win_security_exploit_cve_2024_1708_screenconnect.yml;False
file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml;False
web_exploit_cve_2024_1709_screenconnect.yml;False
win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml;False
proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml;False
file_event_paloalto_globalprotect_exploit_cve_2024_3400_command_inject_file_creation.yml;False
paloalto_globalprotect_exploit_cve_2024_3400_command_injection.yml;False
proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml;False
proc_creation_win_malware_kamikakabot_schtasks_persistence.yml;False
registry_set_malware_kamikakabot_winlogon_persistence.yml;False
proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml;False
dns_query_win_apt_dprk_malicious_domains.yml;False
file_event_win_apt_forest_blizzard_activity.yml;False
file_event_win_apt_forest_blizzard_constrained_js.yml;False
proc_creation_win_apt_forest_blizzard_activity.yml;False
registry_set_apt_forest_blizzard_custom_protocol_handler.yml;False
registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml;False
file_event_win_apt_unknown_exploitation_indicators.yml;False
microsoft365_susp_email_forwarding_activity.yml;False
okta_password_health_report_query.yml;False
file_event_lnx_python_path_configuration_files.yml;False
file_event_macos_python_path_configuration_files.yml;False
proxy_susp_class_extension_request.yml;False
win_firewall_as_change_rule.yml;False
win_security_scheduled_task_deletion.yml;False
create_remote_thread_win_loadlibrary.yml;False
create_remote_thread_win_powershell_generic.yml;True
file_access_win_susp_gpo_access_uncommon_process.yml;False
file_delete_win_zone_identifier_ads.yml;False
file_event_win_dump_file_creation.yml;False
file_event_win_python_path_configuration_files.yml;False
file_event_win_scheduled_task_creation.yml;False
file_event_win_susp_binary_dropper.yml;True
file_event_win_vscode_tunnel_indicators.yml;False
file_event_win_webdav_tmpfile_creation.yml;False
file_rename_win_non_dll_to_dll_ext.yml;True
image_load_dll_amsi_uncommon_process.yml;False
image_load_dll_dbghelp_dbgcore_susp_load.yml;True
image_load_dll_system_drawing_load.yml;True
image_load_office_excel_xll_load.yml;False
image_load_wmi_module_load_by_uncommon_process.yml;False
net_connection_win_dfsvc_non_local_ip.yml;False
net_connection_win_dfsvc_uncommon_ports.yml;False
net_connection_win_hh_http_connection.yml;False
net_connection_win_powershell_network_connection.yml;True
pipe_created_sysinternals_psexec_default_pipe.yml;True
posh_pc_alternate_powershell_hosts.yml;False
posh_pm_susp_netfirewallrule_recon.yml;False
posh_ps_compress_archive_usage.yml;True
posh_ps_mailbox_access.yml;False
posh_ps_new_netfirewallrule_allow.yml;False
posh_ps_new_smbmapping_quic.yml;False
posh_ps_registry_reconnaissance.yml;False
posh_ps_remove_item_path.yml;True
posh_ps_win_api_functions_access.yml;False
posh_ps_win_api_library_access.yml;False
proc_access_win_lsass_powershell_access.yml;False
proc_access_win_lsass_susp_source_process.yml;True
proc_access_win_lsass_uncommon_access_flag.yml;True
proc_creation_win_attrib_system.yml;True
proc_creation_win_cmd_redirect.yml;True
proc_creation_win_csc_compilation.yml;False
proc_creation_win_curl_download.yml;False
proc_creation_win_curl_execution.yml;False
proc_creation_win_curl_fileupload.yml;True
proc_creation_win_curl_useragent.yml;True
proc_creation_win_dfsvc_child_processes.yml;False
proc_creation_win_diskshadow_child_process.yml;False
proc_creation_win_diskshadow_script_mode.yml;True
proc_creation_win_findstr_password_recon.yml;False
proc_creation_win_iexpress_execution.yml;False
proc_creation_win_mode_codepage_change.yml;False
proc_creation_win_net_execution.yml;True
proc_creation_win_net_quic.yml;False
proc_creation_win_office_svchost_parent.yml;True
proc_creation_win_powershell_abnormal_commandline_size.yml;True
proc_creation_win_powershell_crypto_namespace.yml;False
proc_creation_win_powershell_import_module.yml;False
proc_creation_win_powershell_new_netfirewallrule_allow.yml;False
proc_creation_win_regsvr32_dllregisterserver_exec.yml;False
proc_creation_win_remote_access_tools_screenconnect_child_proc.yml;False
proc_creation_win_rundll32_dllregisterserver.yml;False
proc_creation_win_schtasks_creation_from_susp_parent.yml;False
proc_creation_win_sc_query.yml;True
proc_creation_win_susp_compression_params.yml;True
proc_creation_win_susp_elevated_system_shell.yml;False
proc_creation_win_susp_event_log_query.yml;False
proc_creation_win_susp_execution_path_webserver.yml;False
proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml;False
proc_creation_win_susp_file_permission_modifications.yml;True
proc_creation_win_taskkill_execution.yml;True
proc_creation_win_tasklist_basic_execution.yml;True
proc_creation_win_wmic_recon_system_info.yml;False
proc_creation_win_wscript_cscript_script_exec.yml;True
registry_event_scheduled_task_creation.yml;False
registry_set_office_trusted_location.yml;False
registry_set_powershell_crypto_namespace.yml;False
registry_set_service_image_path_user_controlled_folder.yml;True
registry_set_shell_context_menu_tampering.yml;False