- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Documentation
path like ".*/docs/.*"
121 files:

hunting/azure/docs/entra_authentication_attempts_from_abused_hosting_service_providers.md
hunting/azure/docs/entra_unusual_client_app_auth_request_on_behalf_of_user.md
hunting/azure/docs/entra_device_code_authentication_from_unusual_principal.md
hunting/azure/docs/entra_excessive_non_interactive_sfa_sign_ins_across_users.md
hunting/azure/docs/entra_authentication_attempts_behind_rare_user_agents.md
hunting/windows/docs/excessive_smb_network_activity_by_process_id.md
hunting/windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency.md
hunting/windows/docs/network_discovery_via_sensitive_ports_by_unusual_process.md
hunting/windows/docs/excessive_rdp_network_activity_by_source_host_and_user.md
hunting/windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.md
hunting/windows/docs/execution_via_windows_services_with_low_occurrence_frequency.md
hunting/windows/docs/windows_logon_activity_by_source_ip.md
hunting/windows/docs/pe_file_transfer_via_smb_admin_shares_by_agent.md
hunting/windows/docs/scheduled_task_creation_by_action_via_registry.md
hunting/windows/docs/persistence_via_run_key_with_low_occurrence_frequency.md
hunting/windows/docs/executable_file_creation_by_an_unusual_microsoft_binary.md
hunting/windows/docs/suspicious_dns_txt_record_lookups_by_process.md
hunting/windows/docs/suspicious_base64_encoded_powershell_commands.md
hunting/windows/docs/detect_masquerading_attempts_as_native_windows_binaries.md
hunting/windows/docs/detect_rare_lsass_process_access_attempts.md
hunting/windows/docs/potential_exfiltration_by_process_total_egress_bytes.md
hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process.md
hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md
hunting/windows/docs/execution_via_startup_with_low_occurrence_frequency.md
hunting/windows/docs/persistence_via_startup_with_low_occurrence_frequency.md
hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md
hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md
hunting/windows/docs/detect_rare_dll_sideload_by_occurrence.md
hunting/windows/docs/unique_windows_services_creation_by_servicefilename.md
hunting/windows/docs/createremotethread_by_source_process_with_low_occurrence.md
hunting/windows/docs/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.md
hunting/windows/docs/scheduled_tasks_creation_for_unique_hosts_by_task_command.md
hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md
hunting/windows/docs/drivers_load_with_low_occurrence_frequency.md
hunting/windows/docs/execution_via_windows_scheduled_task_with_low_occurrence_frequency.md
hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md
hunting/windows/docs/execution_via_remote_services_by_client_address.md
hunting/aws/docs/iam_assume_role_creation_with_attached_policy.md
hunting/aws/docs/signin_single_factor_console_login_via_federated_session.md
hunting/aws/docs/multiple_service_logging_deleted_or_stopped.md
hunting/aws/docs/ec2_suspicious_get_user_password_request.md
hunting/aws/docs/sts_suspicious_federated_temporary_credential_request.md
hunting/aws/docs/iam_unusual_default_aviatrix_role_activity.md
hunting/aws/docs/sns_topic_created_by_rare_user.md
hunting/aws/docs/iam_unusual_access_key_usage_for_user.md
hunting/aws/docs/servicequotas_discovery_multi_region_get_service_quota_calls.md
hunting/aws/docs/ec2_modify_instance_attribute_user_data.md
hunting/aws/docs/ec2_high_instance_deployment_count_attempts.md
hunting/aws/docs/ssm_rare_sendcommand_code_execution.md
hunting/aws/docs/sns_email_subscription_by_rare_user.md
hunting/aws/docs/sns_topic_message_published_by_rare_user.md
hunting/aws/docs/iam_customer_managed_policies_attached_to_existing_roles.md
hunting/aws/docs/iam_user_activity_with_no_mfa_session.md
hunting/aws/docs/ssm_start_remote_session_to_ec2_instance.md
hunting/aws/docs/secretsmanager_high_frequency_get_secret_value.md
hunting/aws/docs/ec2_discovery_multi_region_describe_instance_calls.md
hunting/aws/docs/ssm_sendcommand_api_used_by_ec2_instance.md
hunting/aws/docs/iam_user_creation_with_administrator_policy_assigned.md
hunting/aws/docs/lambda_add_permissions_for_write_actions_to_function.md
hunting/aws/docs/sns_direct_to_phone_messaging_spike.md
hunting/aws/docs/s3_public_bucket_rapid_object_access_attempts.md
hunting/llm/docs/aws_bedrock_latency_anomalies_detection.md
hunting/llm/docs/aws_bedrock_dos_resource_exhaustion_detection.md
hunting/llm/docs/aws_bedrock_ignore_previous_prompt_detection.md
hunting/llm/docs/aws_bedrock_sensitive_content_refusal_detection.md
hunting/okta/docs/persistence_multi_factor_push_notification_bombing.md
hunting/okta/docs/defense_evasion_failed_oauth_access_token_retrieval_via_public_client_app.md
hunting/okta/docs/credential_access_mfa_bombing_push_notications.md
hunting/okta/docs/persistence_rare_domain_with_user_authentication.md
hunting/okta/docs/initial_access_impossible_travel_sign_on.md
hunting/okta/docs/defense_evasion_multiple_application_sso_authentication_repeat_source.md
hunting/okta/docs/initial_access_password_spraying_from_repeat_source.md
hunting/okta/docs/defense_evasion_multiple_client_sources_reported_for_oauth_access_tokens_granted.md
hunting/okta/docs/initial_access_higher_than_average_failed_authentication.md
hunting/okta/docs/defense_evasion_rare_oauth_access_token_granted_by_application.md
hunting/okta/docs/credential_access_rapid_reset_password_requests_for_different_users.md
hunting/macos/docs/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.md
hunting/macos/docs/suspicious_network_connections_by_unsigned_macho.md
hunting/linux/docs/persistence_via_sysv_init.md
hunting/linux/docs/persistence_via_malicious_docker_container.md
hunting/linux/docs/persistence_reverse_bind_shells.md
hunting/linux/docs/persistence_via_web_shell.md
hunting/linux/docs/defense_evasion_via_capitalized_process_execution.md
hunting/linux/docs/low_volume_gtfobins_external_network_connections.md
hunting/linux/docs/privilege_escalation_via_suid_binaries.md
hunting/linux/docs/defense_evasion_via_hidden_process_execution.md
hunting/linux/docs/persistence_via_initramfs.md
hunting/linux/docs/persistence_via_rc_local.md
hunting/linux/docs/defense_evasion_via_multi_dot_process_execution.md
hunting/linux/docs/low_volume_process_injection_syscalls_by_executable.md
hunting/linux/docs/low_volume_external_network_connections_from_process.md
hunting/linux/docs/privilege_escalation_via_segmentation_fault_and_buffer_overflow.md
hunting/linux/docs/persistence_via_ssh_configurations_and_keys.md
hunting/linux/docs/persistence_via_policykit.md
hunting/linux/docs/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.md
hunting/linux/docs/persistence_via_shell_modification_persistence.md
hunting/linux/docs/persistence_via_unusual_system_binary_parent.md
hunting/linux/docs/persistence_general_kernel_manipulation.md
hunting/linux/docs/persistence_via_package_manager.md
hunting/linux/docs/persistence_via_message_of_the_day.md
hunting/linux/docs/persistence_via_driver_load_with_low_occurrence_frequency.md
hunting/linux/docs/persistence_via_udev.md
hunting/linux/docs/privilege_escalation_via_existing_sudoers.md
hunting/linux/docs/persistence_via_grub_bootloader.md
hunting/linux/docs/persistence_via_desktop_bus.md
hunting/linux/docs/execution_uncommon_process_execution_from_suspicious_directory.md
hunting/linux/docs/privilege_escalation_via_process_capabilities.md
hunting/linux/docs/excessive_ssh_network_activity_unique_destinations.md
hunting/linux/docs/persistence_via_loadable_kernel_modules.md
hunting/linux/docs/persistence_via_pluggable_authentication_module.md
hunting/linux/docs/command_and_control_via_unusual_file_downloads_from_source_addresses.md
hunting/linux/docs/low_volume_modifications_to_critical_system_binaries.md
hunting/linux/docs/persistence_via_network_manager_dispatcher_script.md
hunting/linux/docs/persistence_via_git_hook_pager.md
hunting/linux/docs/persistence_via_dynamic_linker_hijacking.md
hunting/linux/docs/persistence_via_xdg_autostart_modifications.md
hunting/linux/docs/persistence_via_user_group_creation_modification.md
hunting/linux/docs/persistence_via_rpm_dpkg_installer_packages.md
hunting/linux/docs/persistence_via_systemd_timers.md
hunting/linux/docs/login_activity_by_source_address.md
hunting/linux/docs/persistence_via_cron.md
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hidden files and folders
path like ".*/[.][a-zA-Z0-9_]+.*"
20 files:

.pre-commit-config.yaml
.github/PULL_REQUEST_TEMPLATE.md
.github/ISSUE_TEMPLATE/new_hunt.yaml
.github/ISSUE_TEMPLATE/new_rule.yaml
.github/ISSUE_TEMPLATE/rule_deprecation.yaml
.github/ISSUE_TEMPLATE/rule_tuning.yaml
.github/ISSUE_TEMPLATE/schema_feature_request.yaml
.github/ISSUE_TEMPLATE/new_meta.yaml
.github/ISSUE_TEMPLATE/hunt_tuning.yaml
.github/ISSUE_TEMPLATE/bug_report.yaml
.github/ISSUE_TEMPLATE/feature_request.yaml
.github/PULL_REQUEST_GUIDELINES/rule_deprecation_guidelines.md
.github/PULL_REQUEST_GUIDELINES/bug_guidelines.md
.github/PULL_REQUEST_GUIDELINES/enhancement_guidelines.md
.github/PULL_REQUEST_GUIDELINES/rule_tuning_guidelines.md
.github/PULL_REQUEST_GUIDELINES/rule_new_guidelines.md
.github/PULL_REQUEST_GUIDELINES/schema_enhancement_guidelines.md
.github/PULL_REQUEST_GUIDELINES/hunt_new_guidelines.md
.github/PULL_REQUEST_GUIDELINES/hunt_tuning_guidelines.md
.gitignore
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Too long lines (1000+ characters)
3 files:

CLI.md
rules_building_block/defense_evasion_masquerading_windows_dll.toml
rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Too many lines (10000)
1 files:

detection_rules/etc/version.lock.json
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Too long file (1000000+ bytes)
1 files:

git-history.txt
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -