Path	Lines of Code
hunting/__init__.py	1
hunting/__main__.py	161
hunting/aws/queries/ec2_discovery_multi_region_describe_instance_calls.toml	31
hunting/aws/queries/ec2_high_instance_deployment_count_attempts.toml	37
hunting/aws/queries/ec2_modify_instance_attribute_user_data.toml	27
hunting/aws/queries/ec2_suspicious_get_user_password_request.toml	28
hunting/aws/queries/iam_assume_role_creation_with_attached_policy.toml	32
hunting/aws/queries/iam_customer_managed_policies_attached_to_existing_roles.toml	32
hunting/aws/queries/iam_unusual_access_key_usage_for_user.toml	46
hunting/aws/queries/iam_unusual_default_aviatrix_role_activity.toml	29
hunting/aws/queries/iam_user_activity_with_no_mfa_session.toml	25
hunting/aws/queries/iam_user_creation_with_administrator_policy_assigned.toml	31
hunting/aws/queries/lambda_add_permissions_for_write_actions_to_function.toml	30
hunting/aws/queries/multiple_service_logging_deleted_or_stopped.toml	29
hunting/aws/queries/s3_public_bucket_rapid_object_access_attempts.toml	30
hunting/aws/queries/secretsmanager_high_frequency_get_secret_value.toml	30
hunting/aws/queries/servicequotas_discovery_multi_region_get_service_quota_calls.toml	37
hunting/aws/queries/signin_single_factor_console_login_via_federated_session.toml	27
hunting/aws/queries/sns_direct_to_phone_messaging_spike.toml	35
hunting/aws/queries/sns_email_subscription_by_rare_user.toml	31
hunting/aws/queries/sns_topic_created_by_rare_user.toml	32
hunting/aws/queries/sns_topic_message_published_by_rare_user.toml	32
hunting/aws/queries/ssm_rare_sendcommand_code_execution.toml	27
hunting/aws/queries/ssm_sendcommand_api_used_by_ec2_instance.toml	27
hunting/aws/queries/ssm_start_remote_session_to_ec2_instance.toml	25
hunting/aws/queries/sts_suspicious_federated_temporary_credential_request.toml	31
hunting/azure/queries/entra_authentication_attempts_behind_rare_user_agents.toml	75
hunting/azure/queries/entra_authentication_attempts_from_abused_hosting_service_providers.toml	85
hunting/azure/queries/entra_device_code_authentication_from_unusual_principal.toml	50
hunting/azure/queries/entra_excessive_non_interactive_sfa_sign_ins_across_users.toml	55
hunting/azure/queries/entra_unusual_client_app_auth_request_on_behalf_of_user.toml	55
hunting/definitions.py	39
hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml	65
hunting/linux/queries/command_and_control_via_unusual_file_downloads_from_source_addresses.toml	28
hunting/linux/queries/defense_evasion_via_capitalized_process_execution.toml	30
hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml	28
hunting/linux/queries/defense_evasion_via_multi_dot_process_execution.toml	27
hunting/linux/queries/excessive_ssh_network_activity_unique_destinations.toml	29
hunting/linux/queries/execution_uncommon_process_execution_from_suspicious_directory.toml	46
hunting/linux/queries/login_activity_by_source_address.toml	30
hunting/linux/queries/low_volume_external_network_connections_from_process.toml	38
hunting/linux/queries/low_volume_gtfobins_external_network_connections.toml	35
hunting/linux/queries/low_volume_modifications_to_critical_system_binaries.toml	36
hunting/linux/queries/low_volume_process_injection_syscalls_by_executable.toml	27
hunting/linux/queries/persistence_general_kernel_manipulation.toml	73
hunting/linux/queries/persistence_reverse_bind_shells.toml	46
hunting/linux/queries/persistence_via_cron.toml	97
hunting/linux/queries/persistence_via_desktop_bus.toml	78
hunting/linux/queries/persistence_via_driver_load_with_low_occurrence_frequency.toml	30
hunting/linux/queries/persistence_via_dynamic_linker_hijacking.toml	89
hunting/linux/queries/persistence_via_git_hook_pager.toml	77
hunting/linux/queries/persistence_via_grub_bootloader.toml	101
hunting/linux/queries/persistence_via_initramfs.toml	66
hunting/linux/queries/persistence_via_loadable_kernel_modules.toml	74
hunting/linux/queries/persistence_via_malicious_docker_container.toml	68
hunting/linux/queries/persistence_via_message_of_the_day.toml	67
hunting/linux/queries/persistence_via_network_manager_dispatcher_script.toml	65
hunting/linux/queries/persistence_via_package_manager.toml	85
hunting/linux/queries/persistence_via_pluggable_authentication_module.toml	78
hunting/linux/queries/persistence_via_policykit.toml	64
hunting/linux/queries/persistence_via_rc_local.toml	66
hunting/linux/queries/persistence_via_rpm_dpkg_installer_packages.toml	76
hunting/linux/queries/persistence_via_shell_modification_persistence.toml	99
hunting/linux/queries/persistence_via_ssh_configurations_and_keys.toml	85
hunting/linux/queries/persistence_via_systemd_timers.toml	180
hunting/linux/queries/persistence_via_sysv_init.toml	71
hunting/linux/queries/persistence_via_udev.toml	90
hunting/linux/queries/persistence_via_unusual_system_binary_parent.toml	28
hunting/linux/queries/persistence_via_user_group_creation_modification.toml	38
hunting/linux/queries/persistence_via_web_shell.toml	48
hunting/linux/queries/persistence_via_xdg_autostart_modifications.toml	115
hunting/linux/queries/privilege_escalation_via_existing_sudoers.toml	21
hunting/linux/queries/privilege_escalation_via_process_capabilities.toml	47
hunting/linux/queries/privilege_escalation_via_segmentation_fault_and_buffer_overflow.toml	39
hunting/linux/queries/privilege_escalation_via_suid_binaries.toml	54
hunting/llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml	35
hunting/llm/queries/aws_bedrock_ignore_previous_prompt_detection.toml	35
hunting/llm/queries/aws_bedrock_latency_anomalies_detection.toml	30
hunting/llm/queries/aws_bedrock_sensitive_content_refusal_detection.toml	28
hunting/macos/queries/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.toml	27
hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml	32
hunting/markdown.py	102
hunting/okta/queries/credential_access_mfa_bombing_push_notications.toml	30
hunting/okta/queries/credential_access_rapid_reset_password_requests_for_different_users.toml	30
hunting/okta/queries/defense_evasion_failed_oauth_access_token_retrieval_via_public_client_app.toml	35
hunting/okta/queries/defense_evasion_multiple_application_sso_authentication_repeat_source.toml	35
hunting/okta/queries/defense_evasion_multiple_client_sources_reported_for_oauth_access_tokens_granted.toml	36
hunting/okta/queries/defense_evasion_rare_oauth_access_token_granted_by_application.toml	36
hunting/okta/queries/initial_access_higher_than_average_failed_authentication.toml	37
hunting/okta/queries/initial_access_impossible_travel_sign_on.toml	30
hunting/okta/queries/initial_access_password_spraying_from_repeat_source.toml	35
hunting/okta/queries/persistence_multi_factor_push_notification_bombing.toml	28
hunting/okta/queries/persistence_rare_domain_with_user_authentication.toml	30
hunting/run.py	49
hunting/search.py	124
hunting/utils.py	79
hunting/windows/queries/createremotethread_by_source_process_with_low_occurrence.toml	23
hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml	49
hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml	27
hunting/windows/queries/detect_rare_dll_sideload_by_occurrence.toml	45
hunting/windows/queries/detect_rare_lsass_process_access_attempts.toml	40
hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml	26
hunting/windows/queries/drivers_load_with_low_occurrence_frequency.toml	45
hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml	36
hunting/windows/queries/excessive_smb_network_activity_by_process_id.toml	26
hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml	39
hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml	39
hunting/windows/queries/execution_via_remote_services_by_client_address.toml	27
hunting/windows/queries/execution_via_startup_with_low_occurrence_frequency.toml	31
hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml	45
hunting/windows/queries/execution_via_windows_scheduled_task_with_low_occurrence_frequency.toml	28
hunting/windows/queries/execution_via_windows_services_with_low_occurrence_frequency.toml	39
hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process.toml	65
hunting/windows/queries/libraries_loaded_by_svchost_with_low_occurrence_frequency.toml	48
hunting/windows/queries/microsoft_office_child_processes_with_low_occurrence_frequency.toml	27
hunting/windows/queries/network_discovery_via_sensitive_ports_by_unusual_process.toml	31
hunting/windows/queries/pe_file_transfer_via_smb_admin_shares_by_agent.toml	33
hunting/windows/queries/persistence_via_run_key_with_low_occurrence_frequency.toml	45
hunting/windows/queries/persistence_via_startup_with_low_occurrence_frequency.toml	28
hunting/windows/queries/potential_exfiltration_by_process_total_egress_bytes.toml	30
hunting/windows/queries/rundll32_execution_aggregated_by_cmdline.toml	29
hunting/windows/queries/scheduled_task_creation_by_action_via_registry.toml	30
hunting/windows/queries/scheduled_tasks_creation_for_unique_hosts_by_task_command.toml	34
hunting/windows/queries/suspicious_base64_encoded_powershell_commands.toml	30
hunting/windows/queries/suspicious_dns_txt_record_lookups_by_process.toml	26
hunting/windows/queries/unique_windows_services_creation_by_servicefilename.toml	63
hunting/windows/queries/windows_command_and_scripting_interpreter_from_unusual_parent.toml	27
hunting/windows/queries/windows_logon_activity_by_source_ip.toml	29