Path	Lines of Code
rules_building_block/collection_archive_data_zip_imageload.toml	62
rules_building_block/collection_common_compressed_archived_file.toml	117
rules_building_block/collection_files_staged_in_recycle_bin_root.toml	55
rules_building_block/collection_outlook_email_archive.toml	64
rules_building_block/collection_posh_compression.toml	123
rules_building_block/command_and_control_bitsadmin_activity.toml	85
rules_building_block/command_and_control_certutil_network_connection.toml	143
rules_building_block/command_and_control_non_standard_http_port.toml	135
rules_building_block/credential_access_iis_apppoolsa_pwd_appcmd.toml	51
rules_building_block/credential_access_mdmp_file_creation.toml	91
rules_building_block/credential_access_mdmp_file_unusual_extension.toml	75
rules_building_block/credential_access_win_private_key_access.toml	86
rules_building_block/defense_evasion_aws_rds_snapshot_created.toml	59
rules_building_block/defense_evasion_cmd_copy_binary_contents.toml	70
rules_building_block/defense_evasion_cmstp_execution.toml	62
rules_building_block/defense_evasion_collection_masquerading_unusual_archive_file_extension.toml	61
rules_building_block/defense_evasion_dll_hijack.toml	97
rules_building_block/defense_evasion_dotnet_clickonce_dfsvc_netcon.toml	54
rules_building_block/defense_evasion_download_susp_extension.toml	85
rules_building_block/defense_evasion_execution_via_visualstudio_prebuildevent.toml	94
rules_building_block/defense_evasion_file_permission_modification.toml	57
rules_building_block/defense_evasion_generic_deletion.toml	62
rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml	46
rules_building_block/defense_evasion_injection_from_msoffice.toml	82
rules_building_block/defense_evasion_installutil_command_activity.toml	54
rules_building_block/defense_evasion_invalid_codesign_imageload.toml	54
rules_building_block/defense_evasion_masquerading_browsers.toml	186
rules_building_block/defense_evasion_masquerading_unusual_exe_file_extension.toml	60
rules_building_block/defense_evasion_masquerading_vlc_dll.toml	69
rules_building_block/defense_evasion_msdt_suspicious_diagcab.toml	61
rules_building_block/defense_evasion_msiexec_installsource_archive_file.toml	60
rules_building_block/defense_evasion_outlook_suspicious_child.toml	100
rules_building_block/defense_evasion_posh_defender_tampering.toml	88
rules_building_block/defense_evasion_powershell_clear_logs_script.toml	97
rules_building_block/defense_evasion_processes_with_trailing_spaces.toml	52
rules_building_block/defense_evasion_service_disabled_registry.toml	64
rules_building_block/defense_evasion_service_path_registry.toml	87
rules_building_block/defense_evasion_services_exe_path.toml	84
rules_building_block/defense_evasion_suspicious_msiexec_execution.toml	77
rules_building_block/defense_evasion_unsigned_bits_client.toml	58
rules_building_block/defense_evasion_unusual_process_extension.toml	73
rules_building_block/defense_evasion_unusual_process_path_wbem.toml	57
rules_building_block/defense_evasion_write_dac_access.toml	73
rules_building_block/discovery_capnetraw_capability.toml	77
rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml	98
rules_building_block/discovery_generic_account_groups.toml	94
rules_building_block/discovery_generic_process_discovery.toml	55
rules_building_block/discovery_generic_registry_query.toml	68
rules_building_block/discovery_getconf_execution.toml	49
rules_building_block/discovery_hosts_file_access.toml	48
rules_building_block/discovery_internet_capabilities.toml	57
rules_building_block/discovery_kernel_module_enumeration_via_proc.toml	74
rules_building_block/discovery_linux_modprobe_enumeration.toml	72
rules_building_block/discovery_linux_sysctl_enumeration.toml	70
rules_building_block/discovery_linux_system_information_discovery.toml	47
rules_building_block/discovery_linux_system_owner_user_discovery.toml	51
rules_building_block/discovery_net_share_discovery_winlog.toml	62
rules_building_block/discovery_net_view.toml	101
rules_building_block/discovery_of_accounts_or_groups_via_builtin_tools.toml	70
rules_building_block/discovery_of_domain_groups.toml	49
rules_building_block/discovery_posh_generic.toml	268
rules_building_block/discovery_posh_password_policy.toml	111
rules_building_block/discovery_post_exploitation_external_ip_lookup.toml	138
rules_building_block/discovery_potential_memory_seeking_activity.toml	60
rules_building_block/discovery_process_discovery_via_builtin_tools.toml	54
rules_building_block/discovery_remote_system_discovery_commands_windows.toml	95
rules_building_block/discovery_security_software_wmic.toml	84
rules_building_block/discovery_signal_unusual_user_host.toml	51
rules_building_block/discovery_suspicious_proc_enumeration.toml	73
rules_building_block/discovery_system_network_connections.toml	45
rules_building_block/discovery_system_service_discovery.toml	56
rules_building_block/discovery_system_time_discovery.toml	56
rules_building_block/discovery_win_network_connections.toml	62
rules_building_block/discovery_windows_system_information_discovery.toml	64
rules_building_block/execution_aws_lambda_function_updated.toml	64
rules_building_block/execution_github_new_event_action_for_pat.toml	51
rules_building_block/execution_github_new_repo_interaction_for_pat.toml	52
rules_building_block/execution_github_new_repo_interaction_for_user.toml	51
rules_building_block/execution_github_repo_created.toml	43
rules_building_block/execution_github_repo_interaction_from_new_ip.toml	51
rules_building_block/execution_linux_segfault.toml	52
rules_building_block/execution_settingcontent_ms_file_creation.toml	72
rules_building_block/execution_unsigned_service_executable.toml	72
rules_building_block/execution_wmi_wbemtest.toml	48
rules_building_block/impact_github_member_removed_from_organization.toml	43
rules_building_block/impact_github_pat_access_revoked.toml	43
rules_building_block/impact_github_user_blocked_from_organization.toml	43
rules_building_block/initial_access_github_new_ip_address_for_pat.toml	55
rules_building_block/initial_access_github_new_ip_address_for_user.toml	54
rules_building_block/initial_access_github_new_user_agent_for_pat.toml	55
rules_building_block/initial_access_github_new_user_agent_for_user.toml	54
rules_building_block/lateral_movement_at.toml	66
rules_building_block/lateral_movement_posh_winrm_activity.toml	107
rules_building_block/lateral_movement_rdp_conn_unusual_process.toml	63
rules_building_block/lateral_movement_unusual_process_sql_accounts.toml	98
rules_building_block/lateral_movement_wmic_remote.toml	73
rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml	61
rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml	72
rules_building_block/persistence_creation_of_kernel_module.toml	49
rules_building_block/persistence_github_new_pat_for_user.toml	55
rules_building_block/persistence_github_new_user_added_to_organization.toml	47
rules_building_block/persistence_iam_instance_request_to_iam_service.toml	112
rules_building_block/persistence_startup_folder_lnk.toml	62
rules_building_block/persistence_transport_agent_exchange.toml	115
rules_building_block/persistence_web_server_sus_file_creation.toml	121
rules_building_block/privilege_escalation_trap_execution.toml	52